What is a catch-all domain?
A catch-all domain (also called an accept-all domain or a wildcard domain) is a domain whose mail server accepts every message sent to it, even to addresses that do not exist. If acme.com is catch-all, then [email protected] and [email protected] both return the same accepted response, whether or not the mailbox is real.
For email verification, that is the problem in a sentence: the server's yes is meaningless, so a normal check returns catch-all, accept-all, unknown, or risky and leaves you to guess. Most verification tools stop there.
How common are catch-all domains?
Across 1.6 million business domains, 31.4% were catch-all. The rate varies sharply by where the domain hosts its email.
| Email provider | Catch-all rate | Domains |
|---|---|---|
| Barracuda (gateway) | 99.9%32,000 | |
| Trend Micro (gateway) | 86.1%3,700 | |
| Proofpoint (gateway) | 71.4%9,100 | |
| Google Workspace | 36%658,000 | |
| Other / self-hosted | 32.9%212,000 | |
| Mimecast (gateway) | 22.9%5,200 | |
| Microsoft 365 | 22.6%691,000 |
Google-hosted domains are catch-all far more often than Microsoft-hosted ones, a gap that holds across the full dataset.
The hidden layer: security gateways
Many organisations route inbound mail through a secure email gateway (Proofpoint, Mimecast, Barracuda, Trend Micro) for filtering. These gateways answer the verification probe themselves, and they are built to accept first and filter later. The result: a domain behind a gateway almost always looks catch-all, regardless of what runs behind it. Barracuda-fronted domains were catch-all 99.9% of the time.
This matters because the gateway hides the real mailbox host. The domain presents as catch-all even when there is a perfectly ordinary Microsoft 365 or Google Workspace mailbox behind it.
Why no tool can verify every catch-all domain
There is a hard limit on catch-all verification, and the data defines it. About 14% of catch-all domains run on self-hosted or niche infrastructure, and 98.8% of that group is genuinely self-hosted, not a recognisable provider.
For self-hosted catch-all domains there is no signal to read. The only way to confirm a mailbox is to send a message and watch for a bounce, which defeats the purpose of verification. That self-hosted floor caps what any provider can resolve: a tool claiming to verify 90% or more of catch-all domains is claiming to check infrastructure that, by its nature, cannot be checked without sending. The arithmetic does not allow it.
Can catch-all domains be verified?
Most can. The other ~86% of catch-all domains run on major email platforms or the security gateways in front of them, infrastructure that carries signals capable of confirming or ruling out a specific mailbox without sending a message. That is the opposite of the common assumption that a catch-all result is a dead end.
OrbiSearch is built to verify the addresses most tools give up on: catch-all domains, domains behind secure email gateways, and greylisted servers. Where a mailbox cannot be confirmed, we say so, rather than guessing.
Accuracy
Yield is only useful if it is correct. We mark an address deliverable only when there is a conclusive signal, and we report uncertainty honestly rather than clearing addresses we cannot confirm. In a head-to-head on 538 confirmed hard bounces that had already passed other validators, this conservative approach is what keeps a safe verdict meaning safe.
Catch-all rates by TLD
Catch-all rates also vary by top-level domain, and the pattern points at specific sectors.
| TLD | Catch-all rate | Domains |
|---|---|---|
| .gov | 38%2,700 | |
| .io | 36%12,800 | |
| .co | 35.1%15,400 | |
| .us | 33.9%9,800 | |
| .com | 32.4%1,200,000 | |
| .edu | 32.3%5,000 | |
| .org | 25.4%125,000 | |
| .com.au | 23.2%34,800 | |
| .nl | 23.1%6,900 |
Government (.gov, and .gov.uk at 39.5%) and technology (.io) domains are the most catch-all-heavy, well above the .com baseline of 32.4%. Teams running cold outreach or data enrichment into the public sector or tech hit the catch-all wall more than most.
Methodology
The dataset covers more than 23 million verification attempts run on OrbiSearch over a window in May 2026, spanning 1.6 million unique business domains with a determinate catch-all result. Domains where catch-all status could not be determined (no MX records, invalid syntax) are excluded.
Prevalence and resolvability are both measured per unique domain: a domain is counted once, by its most recent observation. This rule is stable, majority-vote and any-observation rules produce the same 31.4% headline. Provider is the secure email gateway where one is present, otherwise the underlying mailbox host. Resolvability reflects whether a domain's infrastructure carries signals that allow a specific mailbox to be confirmed without sending; it is a property of the domain, not of any particular address list.
One caveat on representativeness: this is the population of domains our users verify, which skews toward B2B prospecting lists. It is a strong benchmark for outreach and go-to-market data, not a random sample of the whole internet. The TLD figures in particular reflect where our users prospect.
