Skip to content
Back to Blog
Jul 02, 2026

Catch-All Email: What It Is, Verification, and Cold Email Risk

Catch-all domains accept mail to any address, so verifiers cannot confirm the mailbox and flag it risky. Here is how catch-all verification works, the real bounce numbers, and when to send anyway.

A catch-all email is an address on a domain whose mail server accepts every message sent to it, even messages addressed to mailboxes that do not exist. Because the server says yes to everything, a verifier cannot confirm the specific recipient, so it labels the address risky instead of valid. Sent blind, catch-alls hard bounce at roughly 23 percent, enough to burn a sending domain. ColdMailer is cold email software built for exactly this kind of careful sending: it delivers from inboxes you already own through your own SMTP email sender, writes a per-prospect opener with AI email personalization software, and lets you keep risky segments small and isolated. Test any draft first with the free cold email spam checker.

Run a fresh B2B list through any verification service and you will see it: a big slice of addresses come back neither valid nor invalid, just "catch-all" or "accept-all" or "risky." Depending on whose numbers you trust, somewhere between a third of business domains and half of all B2B addresses sit behind catch-all configurations, and the share climbs at the mid-market and enterprise companies most worth selling to. Delete them all and you throw away a huge piece of your addressable market. Send to them blind and your bounce rate can triple past the danger line. This guide explains what catch-all email actually is, how 2026 verification tools work around it, and a practical rule for deciding when a catch-all address is worth the send.

What is a catch-all email?

A catch-all email is any address on a domain configured to accept all incoming mail, no matter what appears before the @ sign. If acme.com runs a catch-all, messages to [email protected], [email protected], and complete gibberish like [email protected] are all accepted by the server. You will also see it called an accept-all or wildcard address.

Companies set this up on purpose. A catch-all makes sure a misspelled address still reaches somebody, catches mail sent to employees who left, and gives IT one bucket to review instead of a stream of rejected messages. Around 30 percent of businesses run their domains this way, and larger organizations do it more often than small ones. The setting is good for the company receiving mail and inconvenient for anyone trying to confirm that a specific person's mailbox exists, which is exactly the position a cold email sender is in.

What is a catch-all domain?

A catch-all domain is a domain whose mail server is set to accept messages addressed to any mailbox, existing or not. The catch-all lives at the domain level, not the address level: [email protected] is not individually a catch-all address, but if acme.com accepts everything, every address at acme.com inherits the uncertainty.

Detecting one is simple, and it is the same test every verification tool runs. Ask the domain's mail server, during the SMTP conversation, whether it will accept a deliberately fake address like [email protected]. A normal server rejects it. A catch-all server accepts it, and the moment it does, the server has told you it accepts everything, so its yes to a real-looking address proves nothing. That single behavior is the root of the whole catch-all problem.

Why do email verifiers flag catch-all emails as risky?

Standard email verification works in three steps: check the syntax, look up the domain's MX records, then probe the server to confirm the specific mailbox exists. On a catch-all domain that third step always comes back positive, even for mailboxes that do not exist, so the verifier cannot tell a real address from a fake one and returns "risky" or "accept-all" instead of "valid."

The risk is not theoretical. Many catch-all servers accept first and sort later: the message is taken at the door, then quietly discarded or bounced hours down the line, after your sending tool already logged a successful delivery. Some catch-all inboxes are monitored by nobody at all, and a few are spam traps waiting for careless senders. Here is how to read each verdict a verifier gives you.

Verifier resultWhat it meansWhat to do in cold email
ValidThe mailbox was individually confirmed to existSafe to send. Re-verify before each campaign since data decays
Catch-all / accept-allThe domain accepts everything, so the mailbox could not be confirmedRun specialist catch-all verification, or send only in small isolated batches
Risky / unknownThe server blocked the check or gave an ambiguous answerTreat like a catch-all: deprioritize, test carefully, watch bounces
InvalidThe mailbox does not exist and will hard bounceRemove immediately, never send

Are catch-all emails safe to send to?

Not as a group. Individually, many catch-all addresses belong to real people and deliver fine, but sent blind they hard bounce at about 23 percent, per Scrubby's data on risky and catch-all addresses. On a list that is 42 percent catch-all, a common share for enterprise-heavy B2B data, that pushes overall bounces past 9 percent, more than four times the safe line.

For context, keeping your cold email bounce rate under 2 percent is the standard, and mailbox providers start applying real pressure above 5 percent. A quarter of a segment hard bouncing does not just waste sends; it tells Gmail and Outlook that you do not know who you are mailing, and your email sender reputation takes the hit on every future send, including to your verified prospects. So the honest answer is: catch-alls are unsafe in bulk and manageable in small, deliberate doses, which is why how you verify and segment them matters more than whether you keep them.

Catch-alls punish spray-and-pray senders. ColdMailer works the opposite way: small, personalized batches from your own warmed inboxes, so one risky segment never takes down your whole program. Run your next draft through the free cold email spam checker, then start a campaign that treats deliverability as a feature.

How to verify catch-all emails

Standard SMTP verification cannot confirm a catch-all mailbox, so specialist tools infer whether the person exists from indirect signals instead of asking the mail server directly. In 2026 four methods dominate: checking whether the address has accounts on third-party apps, querying corporate identity providers like Okta, analyzing how the domain's security gateway responds, and send-and-watch testing that delivers real probe emails from burner inboxes and monitors what bounces.

Each method trades something. App-signal and identity-provider checks are fast and safe but only cover people who show up in those systems. Send-and-watch is the most definitive and the slowest, and it burns reputation on someone's infrastructure, which is why it runs on disposable inboxes rather than yours. Expect to pay more per catch-all check than for standard verification, though it is still cents per address against the cost of a burned domain.

Set your expectations honestly: in a 2026 benchmark of 15 verification tools against roughly 3,000 real business addresses, the best overall accuracy was about 70 percent, and accuracy specifically on catch-all domains runs lower. No catch-all verifier is 100 percent accurate, because the protocol makes that impossible, and Google Workspace and Microsoft 365 servers get harder to probe every year. Specialist verification upgrades a coin flip to good odds. It does not remove the need for careful sending.

Should you send cold emails to catch-all addresses?

Send when the prospect justifies the risk, skip when they do not. For a high-value account, one where a closed deal is worth thousands, run the address through specialist catch-all verification and send at low volume from an isolated inbox. For high-volume prospecting, drop unverified catch-alls entirely: a segment that hard bounces at 23 percent will cost you far more in reputation than it returns in replies.

The mistake most teams make is treating this as one decision for the whole list. It is a per-segment decision. A catch-all address at your dream account deserves ten minutes of manual checking (is the person on LinkedIn, does the domain pattern match other confirmed addresses at the company). Five thousand catch-alls from a scraped export deserve the delete key. In between, let verification confidence scores and deal size set the line. And do not delete the maybes outright; park them in a separate segment, because lead enrichment or a fresh verification pass often upgrades them to confirmed later.

How do you handle catch-all emails in a cold email campaign?

Three rules: isolate, throttle, prune. Keep catch-alls in their own campaign sent from a secondary warmed inbox, never mixed with verified addresses, so any damage stays contained. Send small batches of 50 to 100 per day per mailbox and watch the response before committing more. Cut any address that shows no engagement after two or three touches.

  • Isolate the segment. A separate campaign, and ideally a separate sending domain, means a bad batch dents one inbox instead of your main program. This is the same logic behind normal email sending limits, applied more conservatively.
  • Throttle hard. 50 to 100 catch-all sends per mailbox per day is enough to learn the segment's real bounce behavior without triggering provider alarms if it goes badly.
  • Watch bounces after every batch. Learn to read what comes back; the difference between a soft bounce vs hard bounce tells you whether to retry an address or remove it for good. Pull the whole segment the moment hard bounces cross 2 percent.
  • Prune by engagement. No open or reply after 2 or 3 sends means the mailbox is probably unmonitored. Remove it.
  • Re-verify before every campaign. B2B contact data decays about 30 percent a year, so last quarter's confirmed catch-all is this quarter's silent bounce. A regular email list cleaning pass keeps the segment honest.

How do you know if an email is a catch-all?

Your verification tool tells you: any address that comes back "catch-all," "accept-all," or "risky" sits on a catch-all domain. To check a single domain yourself, test whether its mail server accepts an obviously fake address; if a random string at that domain is accepted, the domain catches everything.

Most verifiers run exactly that test automatically, an SMTP conversation that offers a made-up mailbox and watches whether the server objects. In practice you rarely need to check by hand. What you do need is to actually read the verdict column in your verification export instead of treating everything that is not "invalid" as safe. Segment on it: valid addresses go to your main campaign, catch-alls go to the isolated one, invalids go nowhere. That single sorting habit, applied when you build a cold email list, prevents most catch-all damage before the first send.

The short version

A catch-all email sits on a domain that accepts mail to any address, so standard verification cannot confirm the mailbox and flags it risky. These addresses are a third or more of most B2B lists, they hard bounce around 23 percent when sent blind, and ignoring the label can push a campaign past the 5 percent bounce threshold where providers start blocking. Specialist catch-all verification (app signals, identity providers, gateway analysis, send-and-watch) recovers a real share of them, topping out near 70 percent accuracy. The working rule: verify and send carefully to catch-alls at accounts you care about, skip them in bulk sends, and always keep them isolated, throttled, and pruned by engagement.

A few adjacent tools make the careful path easier. The bounce notices and replies a catch-all test batch generates are worth mining instead of reading by hand; an email parsing tool turns them into structured CRM data automatically. When a valuable prospect's email cannot be confirmed at all, a WhatsApp bulk messaging platform gives you a second, verifiable channel to the same person. And if outbound is where your time goes, an AI SEO agent can keep the inbound side publishing without you.

Start sending

Put this into practice with ColdMailer

Bring your own SMTP, let AI personalize every message, and land in the inbox, not spam. Free to start.

Start Free