Test edit

Zackrag — Mon, 20 Apr 2026 06:23:52 +0000

Three months ago I ran a cold outbound campaign to 4,200 "verified" leads. The list had been processed by a well-known verifier—overall accuracy rate: 97%. My bounce rate on the first send was 11.4%. The domain I was using had been sending cleanly for two years. It took six weeks of re-warmup to recover it.

The culprit: catch-all domains. Nobody told me they were a separate category with completely different verification mechanics.

What a catch-all domain actually is

When your email server checks whether an address is valid, it initiates an SMTP handshake with the receiving mail server and asks: "Does this mailbox exist?" Most servers answer honestly—250 means yes, 550 means no.

Catch-all servers lie. Or more precisely, they're configured to accept everything. They respond 250 OK to every address—real@company.com, fake@company.com, asdfgh@company.com—regardless of whether any mailbox behind that address is actually active.

This is usually intentional. Companies configure catch-all so they don't lose emails sent to misspelled or retired addresses. It's especially common in mid-market and enterprise: smaller IT teams, older infrastructure, less aggressive inbox hygiene.

On a typical B2B prospecting list, 30–40% of addresses sit on catch-all domains. For lists heavy with enterprise accounts, that number climbs higher.

Why SMTP probing fails completely here

Standard email verification runs five steps: syntax check, DNS lookup, MX record check, SMTP handshake, and catch-all detection. Steps 1–4 work fine. Step 5 is where things break.

"Catch-all detection" identifies that a domain is catch-all. It doesn't tell you whether the specific mailbox behind it is active. Once a server is flagged as catch-all, the verifier has no SMTP-based path to probe individual addresses. The server will say 250 OK to anything you throw at it. The protocol makes deeper probing impossible.

So what do tools do when they hit a catch-all domain? Most mark every address on it as "risky," "unknown," or "accept-all," then move on. Some try heuristics—checking whether the username format matches LinkedIn patterns, or whether the domain's MX records belong to Google Workspace or Microsoft 365 managed hosting. None of them can tell you definitively whether james.porter@bigcorp.com has an active inbox.

This is not a bug in any specific tool. It's a protocol ceiling every tool hits equally.

The accuracy number vendors don't show you

Every verification vendor publishes a headline accuracy figure. ZeroBounce claims 98%+. Kickbox claims 99%. NeverBounce's marketing lands around 99.9%. These numbers are accurate. They're also misleading.

When Hunter.io ran an independent benchmark of 15 email verification tools across roughly 3,000 real business emails, the top scorer hit 70% overall accuracy. Clay ran a separate controlled test and found that when catch-all domains were excluded from the sample, ZeroBounce hit 99.25%, Findymail hit 98.92%, Hunter hit 98.52%.

The tools are genuinely excellent—on the addresses they can actually verify. The gap is the catch-all segment. Vendors report accuracy on verifiable addresses and either exclude catch-alls from their benchmark methodology or group them under "risky: send at your own risk."

A list with 40% catch-all addresses and 99% accuracy on everything else can still produce a 9%+ bounce rate if you send to the catch-all segment without further triage. Scrubby's data puts the hard-bounce rate on unverified catch-all emails at around 23%.

How the major tools actually handle catch-alls

Here's what I found after running the same 1,200-address catch-all segment through each tool:

Tool	Marketed Accuracy	Catch-All Strategy	Real-World Verdict
ZeroBounce	98%+	Flags as "accept-all," assigns risk score	Conservative; useful API structure for pipelines
NeverBounce	99.9%	Flags as "accept-all," excludes from safe-send	Most conservative; 0 bounces on approved in independent tests
Kickbox	99%	Flags as "accept-all," engagement scoring	Best at detecting catch-all domains accurately
Findymail	98.9%	Pattern-based scoring for catch-all addresses	Good username heuristics, useful as second pass
Hunter.io	95%+	Returns "catch-all" status, leaves triage to you	Honest about limitations, no false confidence
ZoomInfo	Enterprise tier	Supplements SMTP with in-platform activity signals	Best supplemental signal, worst price point

The table makes something visible that most comparisons hide: differentiation is in what tools do with uncertainty, not with addresses they can cleanly verify. A tool that aggressively marks catch-all addresses as risky will score lower in aggregate accuracy benchmarks—because it refuses to give a clean verdict—but will protect your deliverability better in practice.

NeverBounce's conservatism looks bad in head-to-head tests where "gave a clean result on more addresses" is counted as accuracy. In real campaigns, that conservatism is a feature. Kickbox's advantage isn't its overall number—it's that it's better at detecting catch-all domains in the first place, so your risky segment is more accurately populated.

Why your current workflow is probably wrong

The common mistake: treating "risky" and "invalid" as interchangeable. They're not.

Invalid means the SMTP handshake returned a hard rejection—the mailbox definitively doesn't exist. Never send to these.

Risky/accept-all means the tool couldn't verify the address. Some of these are real inboxes. Depending on the domain, delivery rates on catch-all addresses range from 50% to 85%—the spread is large because it depends on the specific company's mail configuration. Suppressing your entire catch-all segment can mean losing 20–30% of legitimate leads.

Most people run verification once before a campaign and assume they're done. With catch-all domains, that's a single point of failure.

A triage workflow that actually works

After losing a domain to a bad catch-all send, I rebuilt my process around five steps:

1. Separate your catch-all segment immediately. Any verifier returns a status field. Pull every row where status is accept-all, catch-all, unknown, or risky. Never mix this with your clean-send list.

2. Apply username pattern scoring. Addresses following firstname.lastname or firstname patterns at domains with Google Workspace or Microsoft 365 MX records are substantially more likely to be active. Addresses like info@, admin@, support@, or auto-generated strings are almost always shared inboxes or role addresses—skip them regardless.

3. Verify the person, not just the address. If you can confirm on LinkedIn that the person is currently employed at that company, the probability of a real inbox jumps meaningfully. You're not verifying the email through this step—you're verifying the person behind it. Tools like Clay make this feasible at scale.

4. Warm up your catch-all sends separately. Never mix catch-all addresses into your main send sequence. Start with 10–15% of the catch-all segment, monitor bounce rate after 72 hours, and expand only if you stay under 1% hard bounce. Each new batch is its own experiment.

5. Re-verify quarterly. Catch-all configurations change. A domain that was catch-all six months ago might have tightened its policy. A clean domain might have moved to catch-all after an IT migration. Static verification is a snapshot.

The difference between a 2% bounce rate and an 11% bounce rate is almost always whether you had a catch-all triage layer—not which primary verifier you used.

What published benchmarks miss

Published verifier comparisons focus on aggregate accuracy across the full dataset. Almost none isolate catch-all accuracy as a separate metric. This creates a real problem: the tools that score highest in benchmarks are often the ones most likely to give you a false sense of safety.

If a tool marks 40% of your list as "risky" and you ignore that, you're not using the tool correctly. If a tool marks only 15% as risky and lets the rest through, it's not necessarily more accurate—it may just be less cautious.

The honest metric to demand from any verifier is: of the addresses you classified as safe-to-send, what percentage actually delivered? Not overall accuracy. Safe-to-send accuracy. That number tells you what the tool is actually doing with catch-all uncertainty.

Very few vendors publish this breakdown. NeverBounce comes closest with its conservative flagging. For everyone else, you're extrapolating from aggregate claims.

What I actually use

For the core verification pass, I run Kickbox first for its catch-all detection reliability, then run the risky segment through Findymail for pattern scoring on the usernames.

For any batch where the catch-all rate exceeds 30%, I pull it through Clay to add LinkedIn employment signals before deciding whether to include those addresses in an active sequence.

ZeroBounce is my default when I'm integrating verification into an automated pipeline—the API response structure is cleaner and the documentation is thorough. NeverBounce is my choice when domain reputation matters more than list size: it's more conservative, which costs leads but protects deliverability.

For workflows that start from social profiles rather than an existing email list—pulling contact data from Twitter or Facebook profiles—Ziwa has been faster for me than going through PDL's direct API, though that's a different use case than verifying a list you already have.

If you're running more than 5,000 emails per month to B2B lists, the catch-all segment deserves its own process. Treating "risky" as interchangeable with "skip" loses real leads. Treating it as interchangeable with "safe to send" destroys domains. The workflow above sits between those two failure modes.

DEV Community: Zackrag