Home / Security / Set up a catch-all email address or audit unrouted addresses
Email Deliverability · Security Ring

Set up a catch-all email address or audit unrouted addresses

30 min Impact: medium Effort: low ✓ Manual completion

A catch-all email address receives mail sent to any address at your domain, even ones that do not actually exist, misspellings, old employee addresses, or spam bots guessing addresses, and auditing this setup closes both a spam and a security gap.

A catch-all left on by default silently accepts email for accounts that no longer exist, which is both a spam magnet and a real risk if an old address is later used to reset a password on some other service.

How to do it

  1. 1
    Check whether a catch-all is currently active
    Look at your email hosting or domain settings for a catch-all or wildcard address configuration.
  2. 2
    Decide deliberately whether you actually need one
    Most businesses are better served by specific, defined addresses rather than an open catch-all.
  3. 3
    Disable it if not genuinely needed
    Reduces spam volume and closes the associated security exposure.
  4. 4
    If keeping it, route it to somewhere actively monitored
    A catch-all nobody reads defeats the purpose of having one at all.

Common mistakes

How you will know it is done

Your catch-all configuration is a deliberate choice, either disabled or actively monitored, not a forgotten default.

Track this in your hive

The Security Ring turns this into a real, permanent mission — mark it complete once you have genuinely done it.

Open this mission in H.I.V.E. →