Why isn't catch-all a good idea and what can you do about it?

Why isn't catch-all a good idea and what can you do about it?
Photo by Mediocre Studio / Unsplash

I often encounter the opinion that if a mail service does not allow you to set up catch-all email, people consider it a disadvantage of that service. But it's not so much a disadvantage as a security feature.

What catch-all mean?

First of all, what the catch-all actually is: it allows you to receive emails even to non-existing addresses in your domain to a so-called wildcard email address. That address looks like *@domain.tld This address itself does not exist but *  character allows you to send an email to whatever@domain.tld

Why does someone have so many addresses?

It's such a privacy feature. You should have a different email address for each service, and this will prevent spam. You may have noticed that some people write their email address on the page so that the . is a word [dot] and from @ is a word [at] and so on.

In my opinion it doesn't matter because the bots will read the address anyway, except that you add work for your visitors that they have to copy your address instead of just clicking on the link to send you an email.

The second possibility is that you post some random address in the form whatever@domain.tld, which is directed to your mailbox. But wait, what about spam you mentioned above !?

Why isn't catch-all a good idea?

Well, precisely because if you have the mailbox enabled to receive messages to all addresses (even non-existent ones), the attacker doesn't have to find out what email you have in order to be able to contact you. He just need to send any email to whatever@domain.tld.

Why I can do about it?

Not using it? I'm kidding. There are other ways to allow receiving emails to random addresses without having to enable catch-all.

One possibility is to create a manual alias for services you use, such as netflix@domain.tld or spotify@domain.tld. But you have to do it manually and not every provider allows you to create so many addresses that you need.

There are also "anonymization" services that allow you to add a domain (it must be different than the one you use with your email provider) and have email addresses generated automatically, for example when creating new accounts.

One such service is for example SimpleLogin which also allows you to create addresse automatically with BitWarden password manager. To use your own domain you need to have subscription for it.

Another option that allows you to use the same address you use for mail also for masked addresses is Fastmail. This one works with 1Password and also allows you to create addresses directly when registering new accounts.

Both services above also allow you to use these addresses to send emails.

There are also free options like Cloduflare or Duckduckgo but the later one don't allow you to use your own email domain.

I recommend, however, to use email addresses on your own domain for important accounts so that you don't get out of the loop in case you lose your email (the provider will stop the service or block your account in case of a violation of the rules). If you have your own domain, you can simply move it to another provider, which is not possible if you don't own a domain.

At the end

So don't sign up for catch-all emails even if your provider provides it and look around for other options, like the ones you mentioned above.

It takes a bit of experience with DNS configuration but it's not complicated. If you still need help you can contact me.

Stay safe!