Skip to content

Configure Catch all Mailbox in Microsoft 365

The catch all mailbox is a special mailbox that receives all the email messages that were sent to non-existing organization recipients. A catch all mailbox is an excellent solution to find out which messages are sent to your organization but were not received by the recipients. In this article, you will learn to configure catch all mailbox in the Exchange admin center (EAC).

Catch all mailbox in Exchange Online

The catch all mailbox in your Exchange Online server can benefit your organization. A catch-all mailbox collects any emails addressed to non-existent email addresses within the domain instead of bouncing them back to the sender as undeliverable. The catch-all mailbox routes any email sent to a non-existent or misspelled email address within the domain. This feature is particularly useful in preventing the loss of legitimate emails due to typos or misconfiguration.

An excellent way to understand the catch all mailbox is with an example outlined below.

Let’s say that the manager of our HR department has the following email address Amanda.Hansen@m365info.com. If someone sends an email message to this address Amanda.Heinz@m365info.com, the mail server (Exchange Online) will reject this message. The mail server will reply with a non-delivery report (NDR) to notify the source sender that there is no such recipient and that it could not deliver the message.

Microsoft sends a How to Fix It template in the NDR message.

Email message did not deliver NDR

To avoid the above scenario, you can configure the catch all mailbox that will accept all these email messages.

The Exchange administrator or another organization user will have access permission to that specific catch all mailbox. From time to time, they can look into the catch all mailbox and check for legitimate mail that was supposed to be sent to a specific recipient organization.

Catch all mailbox risks

The catch all mailbox is not a supported solution by Microsoft 365. Therefore, Microsoft has not published formal information about the catch all mailbox feature. It’s to avoid the fact that the catch all mailbox can increase spam emails in Microsoft 365 mail server.

Note: Exchange Online does not have the catch-all mailbox feature enabled by default.

Note: It’s important to understand that the catch all mailbox can’t be used or implemented in an Exchange Hybrid environment. But only on a “cloud only” environment, meaning the organization’s mail infrastructure is hosted only by Exchange Online, and no other mail infrastructure is involved.

Authoritative vs. Internal Relay domain

Before we go through the steps, let’s explain why you must change the domain default settings from Authoritative to Internal Relay.

When we register our public domain name in Microsoft 365, it’s considered an accepted domain. For this accepted domain, you can choose between two different authorities:

  • Authoritative: Email is delivered only to valid recipients in this Exchange organization. All email for unknown recipients is rejected.
  • Internal Relay: Email is delivered to recipients in this Exchange organization or relayed to an email server at another physical or logical location.

By default, the accepted domain is set to Authoritative. It means that the Exchange Online server has the authority of this accepted domain.

When someone sends an email from a registered public domain to a recipient’s email address, the Exchange Online server will first look into the Global Address List (GAL). Exchange automatically creates this built-in list and includes every mail-enabled object in the Active Directory.

Note: If the recipient’s email address does not appear in the GAL, the Exchange Online server will reply with an NDR message. It will inform the source sender that the recipient does not exist.

Internal Relay

To share the authority with the Exchange Online server and another mail server, you must configure Internal Relay for your accepted domain.

If someone sends an email from a registered public domain to a recipient’s email address, the Exchange Online server will go through the recipient list (GAL).

Note: If the recipient’s email address does not appear in the GAL, the Exchange Online server will forward the mail to the other mail server.

Transport rule

Each time Exchange Online gets a request for delivering an email message to a non-existing Exchange Online recipient, it will look for the other mail infrastructure MX records by default.

To change this behavior, we must set up a transport rule in Exchange Online that will enforce Exchange Online to deliver the email message to the designated catch all mailbox.

How to configure catch all mailbox in Exchange Online

To configure the catch all mailbox in Exchange admin center (EAC), we need to follow these steps:

  1. Create a shared mailbox to catch all mailbox
  2. Create a dynamic distribution group
  3. Change accepted domain from Authoritative to Internal Relay
  4. Create an Exchange Online transport rule

Step 1. Create shared mailbox

The first step is to create a shared mailbox to use as the catch all mailbox. It is better to receive the non-existing emails of your domain in one mailbox.

We recommend creating a shared mailbox because of the following reasons:

  • There are no licenses required
  • Share with other members
  • Assign Send as or Full Access permissions

If you already have a shared mailbox you want to use as the catch all mailbox, then you can skip this step.

Create a shared mailbox in Exchange admin center:

  1. Sign in to Exchange admin center
  2. Click Recipients > Mailboxes
  3. Click Add a shared mailbox
  4. Type Display name Catch All
  5. Type Email address Catch.All
  6. Select Domain m365info.com
  7. Click Create
Create shared mailbox

Note: You will get a notification saying the shared mailbox was created. It may take a few minutes before you can add members. Close the pane.

Add members and assign permissions to the created shared mailbox:

  1. Click on the created shared mailbox (Catch All) from the list
  2. Select Delegation
  3. Go to Read and manage (Full Access) > Click Edit
assign full access permission shared mailbox
  1. Click Add members
Add member to shared mailbox
  1. Select users
  2. Click Save
  1. Click Confirm
  2. Close the pane

A notification will show that the mailbox permissions and selected users were added successfully. The changes are saved and will appear within minutes.

If you want to add Send as permission to users in the shared mailbox, you can follow the steps shown above.

Step 2. Create dynamic distribution group

The next step is to create a dynamic distribution group including all the existing organization recipients. This is to let the catch all mailbox understand which email addresses already exist within the organization domain.

Create a dynamic distribution group in EAC:

  1. Sign in to Exchange admin center
  2. Click Recipients > Groups
  3. Click Add a group
Create a dynamic distribution group in Exchange admin center

Choose a group type.

  1. Select Dynamic distribution
  2. Click Next
Create a dynamic distribution group in Exchange admin center

Set up the basics.

  1. Fill in the Name, e.g., All Microsoft 365 recipients
  2. Click Next
Create a dynamic distribution group in Exchange admin center to catch all mailbox

Assign users.

  1. Select All recipient types
  2. Click Next
Create a dynamic distribution group in Exchange admin center

Edit settings.

  1. Type the email address
  2. Select the domain
  3. Click Next
Create a dynamic distribution group in Exchange admin center

Review and finish adding the group.

  1. Click Create group
Create a dynamic distribution group in Exchange admin center

The group All Microsoft 365 recipients is created, but it isn’t ready to use yet.

  1. Click Close
Create a dynamic distribution group in Exchange admin center

Note: It might take up to two hours to prepare the group for use.

Step 3. Convert domain to Internal Relay

Convert the accepted domain default settings from Authoritative to Internal Relay by following the steps below.

  1. Go to the Exchange admin center
  2. Click Mail flow > Accepted domains
  3. Click on the default domain
Mail flow accepted domains internal relay

The accepted domain (m365info.com) pane opens.

  1. Select Internal Relay
  2. Select Allow mail to be sent from this domain
  3. Click Save
Internal Relay and Allow mail to be sent from this domain

You can see that the accepted default domain type has changed to Internal Relay.

Note: An organization with multiple public domain names in Microsoft 365 will need to change the default settings from Authoritative to Internal Relay to each of the domains separately.

Mail flow accepted domains internal relay

To configure the catch all mailbox, we need to create a new rule in the next step.

Step 4. Create mail flow transport rule

Time needed: 15 minutes

Create a new transport rule in Exchange admin center.

  1. Go to the Exchange admin center

    Click Mail flow > Rules
    Click Add a rule
    Select Create a new rule

    Catch all Mailbox transport rule

  2. Set rule conditions

    Type the name Catch all rule

    Catch all transport rule Exchange admin center

  3. Apply this rule if

    Select > The sender
    Select > is external/internal

    Apply this rule if the sender is external/internal

  4. Select sender location

    Select > Outside the organization
    Click Save

    Select sender location outside the organization

  5. Do the following

    Select > Redirect the message to
    Select > these recipients

    Do the following Redirect the message to these recipients

  6. Select members

    Search and select the created shared mailbox from the list
    Click Save

    Catch all rule shared mailbox

  7. Except if

    Select > The recipient
    Select > is a member of this group

    Except if the recipient is a member of this group

  8. Select members

    Select the created dynamic distribution group > All Microsoft 365 recipients
    Click Save

    Catch all mailbox rule recipients

  9. Name and set conditions for your transport rule results

    Click Next

    Set mail flow transport rule conditions

  10. Set rule settings

    Leave the default settings & click Next

    Set mailflow transport rule settings

  11. Review and finish

    Click Finish

    Review and finish mail transport rule

  12. Transport rule created successfully

    Click Done to close the pane

    Transport rule created successfully

The transport rule is disabled by default. Therefore you must go to the Catch all rule you created. Select the new rule and set the toggle to Enabled. Wait a few minutes to update the changes.

Catch All transport rule enabled

You did configure the catch all mailbox rule, but we need to check if the catch all mailbox configuration works in the next step.

Verify catch all mailbox configuration

Email a non-existing recipient from the internal domain m365info.com.

Important: Give it 15 minutes before you test the Catch all mailbox rule, as it needs time to propagate the changes in the Exchange Online environment.

In our example, we will use Amanda’s (Amanda.Morgan@m365info.com) to send an email message to the following email address: Unknown456@m365info.com.

verify sent to catch all mailbox

You can see the email Amanda sent to the non-existing recipient Unknown456@m365info.com, but it was redirected and delivered to the Catch All shared mailbox.

When we open the folder Catch All > Inbox, we see the email message was delivered. Even though the email address did not belong to anyone from the recipient list (GAL), the email message was sent with the help of the mail flow transport rule.

verify sent to catch all mailbox

The below table shows where your email will be received if an internal (organization domain) or external (Hotmail, Gmail, or other domain) email address sends it.

FromToReceive
Internal Existing email addressExisting recipient
InternalNon-existing email addressCatch all shared mailbox
ExternalExisting email addressExisting recipient
ExternalNon-existing email addressCatch all shared mailbox

You did successfully configure the catch all mailbox rule in Exchange admin center!

Read more: Enable reply all storm protection in Exchange Online »

Conclusion

You learned how to configure a catch all mailbox for your organization in Exchange admin center. It solves the problem of missing important emails because of spelling errors. Remember that this is not a solution for every organization, as it can cause an increase in spam emails. But it’s an excellent way to control every message sent to the organization that didn’t reach the recipient’s mailbox.

Did you enjoy this article? You may also like Rotate DKIM keys in Microsoft 365. Don’t forget to follow us and share this article.

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 12 Comments

  1. Amazing tutorial, very detailed. I follow all steps but at the end I can’t check Catch all mailbox. It doesn’t appear in the list of folders. So I don’t know how to check it.

  2. Seriously? For something really simple it has to go through all that steps? Surely someone out there for the last 20 years must have wrote a script of some sort to perform all the tasks for a domain, and repeat for multiple domains.

    Gosh its 2024 and microsoft has no way to simplified the process? Gosh!!!

    1. Surely this comment is a bot. Catch-all mailboxes are not a Microsoft supported feature as mentioned at the start of the article as it contributes to an increase in unnecessary mail and the possibility to guarantee delivering spam mail to a domain on any possible address.

      Don’t be thick.

      And of course you can do this with a script, in exchange online PowerShell. It’d take like 20 minutes if you have a brain.

  3. Thank you for explaining that, It was very easy for me to apply it after reading your post.

    Thanks!

  4. Great article. But I have a big problem. I have already removed this rule but still receiving hundreds  emails.. How to stop it?

  5. Great article that finally resolved the issue of unknown recipients. Great work! Thank you!

  6. Good article and it really works for mail adresses, which are not found on the Exchange Online Server, but it does not catch ALL mails.

    The point is, that rejected mails were not forwarded into the catch all Mailbox. For example if there is an o365-group which does not permit external senders. Those mails are not being collected in the catch all Mailbox.

    Do you have an idea, what I can do to make that happen as well?

Leave a Reply

Your email address will not be published. Required fields are marked *