Create a Catch-All Mailbox in Office 365

5/5 - (2 votes)

While working on a cross-tenant issue with a customer, I had the requirement minimize the number of non-delivery reports sent to external users.  I suggested the best way to do this might be a catch-all mailbox.

Background

What exactly is a catch-all mailbox?  In layman’s terms, it’s a mailbox designed to receive (or catch) all of the mail addressed to invalid recipients in a particular mail system. Many hosting platforms have this type of feature; Exchange Online utilized directory-based edge blocking (DBEB) to filter out invalid recipients prior to mailbox delivery.

Configuration

We can mimic the behavior of catch-all mailboxes with the configuration of a shared mailbox, a transport rule, a dynamic distribution group, and disabling DBEB.

Creating a dynamic distribution list for all valid users

The first step is to create a distribution list that includes all of the users who have mailboxes in your environment.  It’s pretty easy to create this via PowerShell.

New-DynamicDistributionGroup -Name 'AllMailboxes' -Alias 'AllMailboxes' -OrganizationalUnit $null -IncludedRecipients 'MailboxUsers'

That will include all user mailboxes.  You can also use additional categories, such as MailContacts, Resources, MailGroups or MailUsers.  To specify more than one, you can use an array syntax (such as @(‘MailboxUsers’,’Resources’).

Creating a shared mailbox to receive the errant messages

Next, you’ll need to create a mailbox that will eventually hold all of the mail that couldn’t be delivered to the original recipients.  To do this from PowerShell:

New-Mailbox -Shared -Alias 'catchall' -Name "Catch-All Mailbox" -DisplayName "Catch-All Mailbox" -Force

Next, we’ll tie it together with a rule.

Creating a transport rule to redirect the messages

In order to redirect the messages, you’ll need an Exchange Transport Rule:

New-TransportRule -FromScope 'NotInOrganization' -RedirectMessageTo 'catchall' -ExceptIfSentToMemberOf AllMailboxes -Name 'AllMailboxes' -StopRuleProcessing:$false -Mode 'Enforce' -Comments 'Catch-all mailbox rule' -RuleErrorAction 'Ignore' -SenderAddressLocation 'Header'

The rule does three things:

  • Specifies the senders as people outside of the organization
  • Redirects the mail to the ‘catchall’ mailbox created earlier
  • Makes an exception if the user is a member of the ‘AllMailboxes” dynamic distribution group we created originally

Finally, we’ve got to disable DBEB to make sure invalid recipients don’t get filtered.

Disabling Directory-Based Edge Blocking

Disabling DBEB is a relatively straightforward process–handled by changing an accepted domain’s type from Authoritative to InternalRelay.

Set-AcceptedDomain -Identity <domain> -DomainType InternalRelay

You can configure the domain type per-domain (if that wasn’t obvious already).

Wrapping up

With this configuration in place, you should be able to look at the catchall mailbox you created and view messages intended for recipients whose names might have been misspelled or whose accounts were removed.  It’s a handy way to see what you’re missing out on.

author avatar
Aaron Guilmette
Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.

13 Replies to “Create a Catch-All Mailbox in Office 365”

  1. Thanks for the post. Do you know if this would work with a 365 Business Basic account with one email account? For the past 20 years I’ve been using a catch-all account as my email account hosted with godaddy, and generating random usernames to correspond with the website I’m interacting with. That way if one gets compromised it’s easy to block it.

    But now I’d like for Microsoft 365 Business Basic to manage my domain’s mx, and I’m having trouble seeing how I could continue to do this. But now I have hundreds of random one-off mail address for accounts that I would lose connectivity to unless I can keep the catch-all working. Microsoft’s official statement about this is that they don’t allow catch-all accounts.

    1. As long as you can create a shared mailbox, groups, and transport rules, you can use this. 🙂 I’ve never seen any guidance that says you *can’t* do that (if you have seen it, please share with the rest of the class).

  2. How could i make an existing email address the catch-all, so that it still receives email addressed directly to it?

    1. Just do all of the steps as indicated, with the exception of creating the mailbox. In the PowerShell scriptlet where you specify ‘catchall’ as the alias name, replace it with the alias for the existing mailbox.

Comments are closed.