// accept-all domains, actually resolved
Catch-All Checker
Every other verifier marks catch-all domains "risky" and charges you anyway. We resolve the actual mailbox with provider-level identity checks — Microsoft 365 and Google Workspace — on top of a real SMTP handshake.
# 5 free checks/day from this page — no signup, no card.
# slow MTAs can take up to 30s. we wait for the real answer.
real SMTP handshake · catch-all resolution · disposable + role detection · bulk CSV · REST API
01 what a catch-all domain actually is
A catch-all — or accept-all — domain is a mail server configured to accept mail addressed to anything at the domain. jane@acme.com, sales@acme.com, kjh3f98s@acme.com: the server takes them all and sorts it out later. Admins set this up so typos and legacy addresses don't bounce, mail routed through migrations doesn't get lost, and security teams can trap phishing probes in a quarantine box.
It's a perfectly reasonable server configuration. It's also the single biggest blind spot in email verification, because the standard verification technique relies entirely on the server rejecting bad recipients. Catch-all servers never reject anyone — which is exactly the problem.
02 why every verifier says "risky"
Standard SMTP verification works like this: resolve the domain's MX records, open a connection to the mail server, and walk the start of a delivery — EHLO, MAIL FROM, RCPT TO — then hang up before sending anything. The server's reply to RCPT TO is the verdict: 250 means the mailbox exists, 550 means it doesn't.
> RCPT TO:<jane@acme.com> < 250 2.1.5 Recipient OK > RCPT TO:<zk49qwfx@acme.com> < 250 2.1.5 Recipient OK ← catch-all. the handshake tells you nothing.
On a catch-all domain, the server answers 250 to every recipient — including addresses that were invented a second ago. The handshake carries zero information about whether your specific mailbox is real. An honest tool has to admit that, so it stamps the address risky or accept-all, charges you a credit, and moves on. Catch-all configurations are common across B2B domains, so on a typical prospect list a painful slice of your spend comes back as a shrug.
03 how we resolve the mailbox anyway
The SMTP front door is a dead end on catch-all domains, so we stop asking it. Most custom-domain business mail is hosted on one of two platforms — Microsoft 365 or Google Workspace — and both expose identity infrastructure that knows which accounts actually exist:
- Microsoft 365: we identify the domain's tenant and probe Microsoft's own identity endpoints to determine whether the address corresponds to a real account in that tenant.
- Google Workspace: we run equivalent probes against Google's account infrastructure to confirm the mailbox identity exists.
These checks are independent of the catch-all configuration, so a result that any other tool returns as risky collapses into a definitive deliverable or undeliverable. When a catch-all domain sits on a host we can't probe, we say so honestly — and unknown results are never charged.
syntax ──→ mx lookup ──→ smtp handshake
│
├── 550 ───────────────────→ undeliverable
├── 250, not catch-all ────→ deliverable
└── 250, catch-all detected
│
├── microsoft 365 ──→ tenant identity probe ──→ verdict
├── google workspace → account probe ─────────→ verdict
└── other host ─────→ risky / unknown (not charged)
04 the rest of the stack
real smtp checks
Live handshakes against the actual mail server — not a syntax regex and an MX lookup dressed up as verification.
disposable + role detection
Burner domains (mailinator-style) and role accounts (info@, sales@, admin@) are flagged on every result, along with a free-provider flag for gmail/outlook/yahoo addresses.
bulk csv cleaning
Upload a list, get per-row results back: status, reason and every flag for each address. Unknowns are refunded automatically on bulk jobs.
rest api
Simple key auth (X-API-Key), JSON in, JSON out, 120 req/min per key. Full reference at emailverificationapi.io.
05 pricing
1 credit = 1 verification. Sign up free and get 100 free credits — no card required. Single-check unknowns are never charged; bulk unknowns are refunded automatically.
06 faq
what is a catch-all domain?
A catch-all (accept-all) domain is a mail server configured to accept mail for any address at the domain, whether or not a mailbox with that name exists. The server answers 250 OK to every recipient during the SMTP handshake, so the handshake alone cannot tell you whether a specific mailbox is real.
why do other email verifiers return "risky" for catch-all domains?
Standard verification relies on the mail server's response to the RCPT TO command. On a catch-all domain the server accepts every recipient, so the response carries no information. Most tools stop there, label the address "risky" or "accept-all", and leave you to guess.
how does Catch-All Checker resolve mailboxes on catch-all domains?
When the SMTP handshake is inconclusive, we run provider-level identity checks. For domains hosted on Microsoft 365 we probe the tenant's identity layer; for Google Workspace we probe Google's account infrastructure. These checks reveal whether the specific account exists, independent of the catch-all configuration.
can every catch-all domain be resolved?
No. Provider-level resolution covers domains hosted on Microsoft 365 and Google Workspace, which together host the majority of custom-domain business mail. Catch-all domains on other hosts that we cannot resolve are returned as risky or unknown — and unknown results are never charged.
is the free catch-all check really free?
Yes. The widget on this page gives you 5 free checks per day with no signup. Creating a free account adds 100 free credits — no card required.
# stop paying for "risky".
sign up free → 100 credits, no card