Set up a domain to catch all emails in Exchange Online

How many websites do you sign up to every year? Usually, whenever you register at a website you use your primary email address, right? This is just easier, and you get the email straight away, login, and everyone is happy. How long does it take before a brand-new email address is filled to the brim with spam and phishing emails?

One way to combat this is to not use your email address whenever you register somewhere. Instead, we’ll create some nifty rules in our Exchange that will catch any mail that comes into our organization that is sent to a certain domain and redirect it directly to a folder in our mailbox.

What are the benefits

There are several reasons to do this but the most prominent one is that you won’t spread your primary email address around. You will always end up getting spam and phishing and there is no way around that but using your primary email address for everything puts it out into circulation.

If a site you’ve registered at goes rogue and sells their userbase, or gets hacked, your email will be on some very naughty lists. In the same way that you don’t want to use the same password for all sites, you don’t want to log in with the same email address everywhere.

The way we will do it, you could easily see who “betrayed” you. If you use [email protected] to log into Facebook, this is the address that will be the receiver if they get hacked and someone adds your email to a list of potential suckers.

Setting up the mail flow rules in Exchange

I’m doing this in Exchange Online, but as far as I know these options are available in the on-premises version as well.

Navigate to Exchange Admin Center, Mail Flow and the Rules tab.

As you can see, we start off by defining that this rule will trigger if the email is from outside of the organization and that the recipients domain is your dedicated catch-all domain. This will of course mean that you would have to have an extra domain available that is used for nothing else.

Now, you are more or less done. But you will now get all spam sent to your spam-domain straight into your inbox. This is not what we want, so let us create an inbox rule that moves these emails to a folder and out of sight.

You could get to the rules by pressing the cogwheel in the right corner of your Outlook Online and search for Inbox Rules. These rules can also be created in the desktop version of Outlook.

Here we have a condition that will move email that is sent to our spam-domain into a folder. This means that if someone sent you an email that ends with that domain name, it will be moved into that folder.

Of course, after setting up such rules we must test it.

That’s about it! And all you need is an extra domain that you don’t mind using for only one purpose.

This also works with a subdomain if you’ve set that up correctly. However, that means you must set up your domain as Internal Relay so if you need an email to bounce if not sent to a valid recipient you can use that. It will, of course, kind of stop our efforts here as we need to be open to receive emails sent to anything that ends in our domain.