Emails sent to non-existing business mailboxes, for example because of a typo, can be a real pain both for senders and businesses, preventing communication from taking place. Fortunately, you can equip your organization with a kind of ‘safety net’ for the emails ‘lost in the space’: a catch all mailbox. I will explain what is the true meaning of the catch all mailbox and how to set it up in Microsoft 365 (or Exchange Online to be exact).
Catch all (or catch-all) mailbox is a shared mailbox that you can use to receive (or catch) all the incorrectly addressed messages sent to your organization (tenant), which would otherwise be bounced back, producing a Non-Delivery Report (NDR) for a sender.
A catch all mailbox cannot exist on its own. To work properly, it requires you to complete some additional configuration steps such as:
- Create a dynamic distribution group with all the valid mailboxes in your tenant which should be ignored by the catch all mailbox.
- Set your company’s email domain to Internal Relay to make the above rule take precedence over the default Directory-Based Edge Blocking mechanism that rejects messages for invalid recipients.
- Create a transport rule that will redirect all the messages with an invalid addressee to your catch all mailbox.
All these steps will be discussed in detail in the How to set up a catch all email and rule section.
As highlighted at the beginning, a catch all mailbox allows you to save the communication with an external sender (possibly a customer), even when they fail to use a correct email address in a message they send to your domain.
A catch all email address can be also of help to the organizations that are legally required to receive absolutely all emails no matter if an actual mailbox exists or not.
You cannot use a catch all mailbox in the following environments:
- Hybrid environments
- Environments where Exchange Online coexists with a third-party email system
- Environments with the old Small Business plans (no support for transport rules)
A catch-all mailbox can be useful. But it doesn’t necessarily mean that all companies should drop everything and start setting them up if they haven’t done that already. Think about it for a second.
Some of your shared mailboxes receive more spam than the others or than user mailboxes, right? That’s usually because they use a common name, like ‘contact@<yourdomain>.com,’ or ‘help@<yourdomain>.com.’ Those mailboxes are much more likely to suffer from an ongoing onslaught of spam, phishing attempts and so on. A catch-all mailbox is like a utopia for threat actors. And a bit of a dystopia for yourself. The mailbox opens up your organization for attacks even when mailing is sent to ‘yougottabekiddingme@<yourdomain>.com’ or ‘asiufhasdpifuhsadf@<yourdomain>.com.’ In other words:
- Your catch-all mailbox will probably be full of spam (some of it being potentially dangerous).
- Those who manage the mailbox need to have high security awareness.
- In most cases, sieving through the mailbox’s content will be a chore that yields little gains.
In the end, you (or, more likely, the management) need to take a close look at pros and cons. Put it into your company’s context.
How to set up a catch all email and rule?
This section shows how to configure a catch all mailbox, step by step. For a successful configuration, you need to complete the steps in all the subsections below (unless stated otherwise). Keep in mind that all the procedures should be completed in the Exchange admin center only.
Create a shared mailbox
First, create a new shared mailbox and assign permissions to it for chosen user(s). They will be responsible for checking the mailbox and forwarding emails to relevant people in your organization (or responding). It’s also reasonable to start with the shared mailbox configuration, because permissions’ propagation can take even up to 24 hours (usually 2 hours).
Tip: You can use an existing shared mailbox instead of creating a new one. If permissions to that mailbox are already granted to the relevant users, you can skip this section altogether.
- Log in to the Exchange admin center.
- Go to Recipients > Mailboxes and click Add a shared mailbox.
- In the pane that opens, define the mailbox’s Display Name, address, choose your organization’s main domain from the dropdown menu, and click Create. In this example, I’ll call it simply Catchall and use [email protected] as the email address.
- Close the wizard, locate the newly created mailbox on the list and choose Mailbox delegation.
- Click Edit in the Read and manage (Full Access) section and choose user(s) that will manage the catch all mailbox correspondence in your organization.
- Close the pane and proceed to the next section.
Create a dynamic distribution group
Now, let’s create a dynamic distribution group (DDG) covering all the valid mailboxes in your tenant. Since the group is dynamic, it’ll be automatically updated if user(s) join or leave your organization in the future.
The group will be used as an exception in the catch all mailbox’s transport rule (you’ll create later on) to prevent all the correctly addressed emails from being processed by the rule and, consequently, forwarded to your catch all mailbox.
- In the left-hand navigation menu, go to Recipients > Groups and click Add a group on any tab you want.
- Choose Dynamic distribution as the Group type.
- Name your group the way you want – I’ll call it simply All users.
- To add all the valid mailboxes in your organization, leave the default option (All recipient types) selected in the Users step.
- In the Settings step, specify the group’s email address, e.g. [email protected].
- In the final step, click Create group and next Close to finish the setup.
Note that it might take up to 2 hours before your group becomes fully functional.
However, there’s a catch with dynamic distribution groups: according to the information from Microsoft, the membership information for each dynamic distribution group in Exchange Online is updated every 24 hours. It means that when you, for example, add a new user to your organization, emails sent to them might not reach their mailbox but be redirected to a catch all mailbox for up to 24 hours.
That’s why, especially if the provisioning of new users in your organization is quick or you often add/remove mailboxes, it might be a good idea to also create a static distribution group (to be manually and instantly updated with a ‘freshly-added’ user by you) and add it as another exception to the Catch all mailbox transport rule later on.
Once 24 hours have elapsed and the user automatically becomes a member of your dynamic distribution group, you can remove them from the static group or leave them untouched if you want.
Refer to the section below to learn how to create an optional static distribution group or skip directly to the next step: Set your company’s email domain to internal relay.
(Optional) Create a static distribution group
- Launch the group creation wizard in the similar way as for the dynamic distribution group.
- Choose Distribution as the Group type.
- Name your group the way you want – I’ll call it simply New users.
- In the next step, assign yourself (or a person responsible for managing the group) as the owner.
- You can skip the Members step for now – you’ll start adding new members the next time you add a new Microsoft 365 user to your organization.
- Now, configure the settings:
- Define group’s email address.
- Decide how users can join/leave the group – since you’ll manage users on your own, you can choose Closed in both cases to avoid users’ accidentally joining the group.
- Leave other settings as default.
- Finally, click the Create group button and wait for the group to be created.
Note that it might take up to 1 hour before your group becomes fully functional. Now, when you add a new user to your organization in the future, remember to add that user to this static distribution group as well to avoid unnecessary email redirection to the catch all mailbox, until the user automatically becomes a member of the previously created dynamic distribution group (up to 24 hours).
Set your company’s email domain to internal relay
Setting your domain to internal relay (or non-authoritative relay) will allow you to relay misaddressed messages, e.g., with the use of a transport rule, to your catch all mailbox. Otherwise, with the authoritative domain setup, such emails are blocked and generate a Non-Delivery Report (which is the default behavior in Exchange Online).
- In the left-hand navigation menu, go to Mail flow > Accepted domains, and choose your organization’s email domain. In most cases, it’ll be you default company domain.
- In the pane that opens, select Internal relay and click Save.
Create a transport rule
Finally, you need to create the transport rule that will use the previously configured items as conditions and, once saved, make the catch all mailbox fully operational.
- In the left-hand navigation menu, go to Mail flow > Rules. Click the Add a rule button and choose Create a new rule.
- First, name you rule whatever you want – the ‘Catch all’ phrase allows an easy identification.
- Next, in the Apply this rule if section, choose The sender > is external/internal. In the pane that opens, choose Outside the organization from the drop-down list and confirm by clicking Save.
- Next, under the Do the following section, select Redirect the message to > these recipients. In the pane that opens, select the catch all mailbox you created before from the list and click Save.
- Now, under the Except if section, select The recipient > is a member of this group. In the pane that opens, select the dynamic distribution group and (if you want to speed up user provisioning) the static distribution group you created before from the list, and click Save.
- Review your rule – it should look similar to the one shown below. If the settings look OK, click Next to go to the next step of the rule creation wizard.
- In the Set rule settings step, leave all the default settings as they are and proceed to the final step by clicking Next.
- The final step (Review and finish) lets you check your settings once again. If you’re OK with them, click Finish > Done to create your catch all transport rule and make it appear on the rules’ list.
- Note that each newly created rule is disabled by default. To make use of the catch all mailbox, remember to enable your rule by clicking it on the list and setting the toggle switch to Enabled, as shown below.
Now that everything’s ready, do some testing by sending a few emails from an external mailbox to a non-existing email address in your organization’s domain. All the messages should be relayed to the catch all mailbox, so you should be able to see them when you access it.
You can also test if the created groups work as intended:
- For the dynamic distribution group, create a new mailbox, wait for about 24 hours, and send a few emails from an external email address to see if they reach the newly created mailbox (correct behavior) or are redirected to the catch all mailbox (incorrect behavior). If you experience the incorrect behavior, wait some more time for the changes to propagate.
- For the static distribution group, do the similar testing, remembering to manually add a freshly created user (mailbox) first. This time you won’t have to wait.
Will a catch all email work with third party solutions in Exchange Online?
In most cases, the catch all mailbox should not interfere with any third-party solutions like a smart host or signature adding software that process your emails in transit in Exchange Online.
If, however, you experience any problems (e.g., emails get blocked), you need to modify the configuration by completing these two general steps:
- In the rules list (Mail flow > Rules), move your third-party solution’s rule above the catch all mailbox’s rule. You can use the arrows just above the list (see below) or set the priority in each rule’s configuration window.
- Next, add the exception for your third-party solution to the catch all mailbox’s rule by using the add exception button and choosing an appropriate condition. You can, for example, ‘whitelist’ your third-party solution based on:
- Fully Qualified Domain Name
- IP address
- Specific header
- Keywords in Subject or Body
For sample instructions on how to add an exception to a transport rule, see this article in our Knowledge Base.