How do catch-all addresses work?

A catch all address accepts mail for any local part on a domain. If tidalmail.com enables a catch all then captain@tidalmail.com, firstmate@tidalmail.com, and even random strings all deliver to the same mailbox.

Catch all domains are particularly vulnerable to directory harvest attacks where spammers test thousands of possible names. Because the domain accepts everything it signals that every address is valid.

This can be useful for small teams but risky if spammers target random names at the domain. A catch all is a wide open harbor where every incoming vessel is allowed to dock, friendly or not.