Skip to content

Catch-All Domains with Microsoft 365

May 13, 2025

I like having a primary email address that uses my name. It’s simple, professional, and easy to communicate verbally. But relying on a single address — especially one tied to my actual name — isn't always ideal. I don’t want services linking my activity across platforms or using my email as a pivot point for targeted ads, or worse, making it easier for attackers to connect unrelated accounts across breached data sets.

To tackle these privacy concerns, I set up an additional custom email domain using my personal Microsoft 365 tenant. In this article, I'll show exactly how I configured it, why it's beneficial, and some potential pitfalls you should be aware of.

Background

A "catch-all" email setup traditionally means that any message sent to an undefined address at your domain gets delivered to a single inbox. For example, emails sent to amazon@domain.com, newsletter@domain.com, or even randomstring@domain.com would all land in the same place — no need to predefine aliases.

Privacy and Security

Email addresses have become key identifiers across services. They're often used to link behavior, correlate accounts, and target individuals. That creates a few problems:

  • Targeted by advertisers tracking your online activities
  • Exploited by attackers correlating data breaches

I use strong, unique passwords for everything, but using unique email addresses per service (through the use of a pseudo catch-all account) adds another layer. It helps compartmentalize exposure and makes it easier to see where data might have been shared or leaked. This approach provides some real security benefits:

  • Prevent reuse-based targeting: Breached email addresses are often used to fuel credential stuffing and phishing campaigns. Even with unique passwords, a known email address makes you a target. Using unique addresses per service helps break that link
  • Aid in phishing detection: When you know what address you used for a given service, spotting a fake gets easier. If something claims to be from your bank but arrives at fitnessapp.99@domain.com, that’s a clear red flag
  • Reduce metadata cross-linking: A consistent email address in logs, trackers, or data sets makes it easier to correlate activity across platforms. Rotating aliases weakens that signal
  • Lower the risk of password reset abuse: If one alias gets guessed or exposed, it doesn’t unlock everything. Attackers still have to guess the unique address tied to the target account

Microsoft 365 Setup

I'm using Microsoft 365 for email hosting and Namecheap for a registrar, but this approach works with most domain registrars and email providers.

You’ll need a domain name and a Microsoft 365 tenant with Exchange Online licensing to follow along. I used an unrelated domain just for this setup. For clarity, I’ll use a fictional example: fastwebmailnet.com.

First, add and verify the domain within Microsoft 365 (this is well-documented elsewhere, so I'll skip detailed instructions).

Next, set up a mail flow rule to redirect emails containing a specific pattern to your primary email address:

  • Navigate to Admin Portal > Admin Centers > Exchange > Mail Flow > Rules
  • Create a new rule:
  • Name: Catchall
  • Apply this rule if: The recipient address includes any of these words
    • 99@fastwebmailnet.com
  • Do the following: Redirect the message to these recipients
    • Select your primary mailbox
  • Settings Tab: Match sender address in message: Header

The inclusion of "99@fastwebmailnet.com" results in using email addresses formatted as <something>.99@fastwebmailnet.com. The period before "99" is important due to how Microsoft 365 parses email addresses for mail flow rules, which seems to be required for the rule to match properly. So, your final address might be something like storeabc.99@fastwebmailnet.com. This structure gives you flexibility while also preventing unintentional catch-all behavior for addresses like info@ or accounts@ that might otherwise receive bulk spam.

Outlook Categorization (Optional)

To easily recognize emails sent to the custom domain, I set up categorization in Outlook (this step is optional but helpful for organization):

  • Go to Outlook > Settings > Mail > Rules
  • Click Add a new rule
  • Name: fastwebmailnet.com
  • Condition: Recipient address includes @fastwebmailnet.com
  • Action: Categorize the message into a new category labeled "Fastwebmailnet" with a unique color

This automatically tags incoming emails, visually showing you that the email wasn't to your primary address while skimming your inbox.

Scalability

This setup is also scalable. You can define different suffixes (like .99, .98, etc.) for different users or use cases. For example, a family member could use addresses ending in .98@fastwebmailnet.com, with a separate mail flow rule routing those messages to their own mailbox. This keeps things isolated while still using the same domain.

Additional Advantages

  • Easy Email Tagging: Quickly identify and categorize emails based on the service used
  • Multiple Account Creation: Create unique email addresses for signing up for services multiple times
  • Abuse Containment: If a specific alias starts getting spam, you can block or redirect just that one without affecting your main inbox

Things to Consider

One potential snag (though I haven't personally encountered it yet) is services requiring you to send or reply from the exact registered email address. If needed, you might have to reply from a generic address within your catch-all domain or revert to your primary email.

Future Work

A future enhancement I'm considering is domain-level breach monitoring using services like HaveIBeenPwned. Currently, I'd have to individually monitor each email address, but HaveIBeenPwned offers a domain-level subscription that could simplify proactive detection across the entire domain.

Conclusion

I've been using this custom email alias routing setup for about three years now, and it has proven consistently useful. It helps manage privacy and simplifies my email organization. While it's not perfect, it's a low-maintenance way to reduce the exposure of my primary email and spot leaks when they happen. It's worked well for me.