While working on a cross-tenant issue with a customer, I had the requirement minimize the number of non-delivery reports sent to external users. I suggested the best way to do this might be a catch-all mailbox.
Background
What exactly is a catch-all mailbox? In layman’s terms, it’s a mailbox designed to receive (or catch) all of the mail addressed to invalid recipients in a particular mail system. Many hosting platforms have this type of feature; Exchange Online utilized directory-based edge blocking (DBEB) to filter out invalid recipients prior to mailbox delivery.
Configuration
We can mimic the behavior of catch-all mailboxes with the configuration of a shared mailbox, a transport rule, a dynamic distribution group, and disabling DBEB.
Creating a dynamic distribution list for all valid users
The first step is to create a distribution list that includes all of the users who have mailboxes in your environment. It’s pretty easy to create this via PowerShell.
New-DynamicDistributionGroup -Name 'AllMailboxes' -Alias 'AllMailboxes' -OrganizationalUnit $null -IncludedRecipients 'MailboxUsers'
That will include all user mailboxes. You can also use additional categories, such as MailContacts, Resources, MailGroups or MailUsers. To specify more than one, you can use an array syntax (such as @(‘MailboxUsers’,’Resources’).
Next, you’ll need to create a mailbox that will eventually hold all of the mail that couldn’t be delivered to the original recipients. To do this from PowerShell:
New-Mailbox -Shared -Alias 'catchall' -Name "Catch-All Mailbox" -DisplayName "Catch-All Mailbox" -Force
Next, we’ll tie it together with a rule.
Creating a transport rule to redirect the messages
In order to redirect the messages, you’ll need an Exchange Transport Rule:
New-TransportRule -FromScope 'NotInOrganization' -RedirectMessageTo 'catchall' -ExceptIfSentToMemberOf AllMailboxes -Name 'AllMailboxes' -StopRuleProcessing:$false -Mode 'Enforce' -Comments 'Catch-all mailbox rule' -RuleErrorAction 'Ignore' -SenderAddressLocation 'Header'
The rule does three things:
- Specifies the senders as people outside of the organization
- Redirects the mail to the ‘catchall’ mailbox created earlier
- Makes an exception if the user is a member of the ‘AllMailboxes” dynamic distribution group we created originally
Finally, we’ve got to disable DBEB to make sure invalid recipients don’t get filtered.
Disabling Directory-Based Edge Blocking
Disabling DBEB is a relatively straightforward process–handled by changing an accepted domain’s type from Authoritative to InternalRelay.
Set-AcceptedDomain -Identity <domain> -DomainType InternalRelay
You can configure the domain type per-domain (if that wasn’t obvious already).
Wrapping up
With this configuration in place, you should be able to look at the catchall mailbox you created and view messages intended for recipients whose names might have been misspelled or whose accounts were removed. It’s a handy way to see what you’re missing out on.
Thanks for the post. Do you know if this would work with a 365 Business Basic account with one email account? For the past 20 years I’ve been using a catch-all account as my email account hosted with godaddy, and generating random usernames to correspond with the website I’m interacting with. That way if one gets compromised it’s easy to block it.
But now I’d like for Microsoft 365 Business Basic to manage my domain’s mx, and I’m having trouble seeing how I could continue to do this. But now I have hundreds of random one-off mail address for accounts that I would lose connectivity to unless I can keep the catch-all working. Microsoft’s official statement about this is that they don’t allow catch-all accounts.
As long as you can create a shared mailbox, groups, and transport rules, you can use this. 🙂 I’ve never seen any guidance that says you *can’t* do that (if you have seen it, please share with the rest of the class).
How could i make an existing email address the catch-all, so that it still receives email addressed directly to it?
Just do all of the steps as indicated, with the exception of creating the mailbox. In the PowerShell scriptlet where you specify ‘catchall’ as the alias name, replace it with the alias for the existing mailbox.