You need a new address — sales@, billing@, support@. Most guides say "just use an alias, it's free." That works until replies go out from your personal address, invoices vanish when an employee leaves, or forwarded emails get silently rejected because SPF fails. You lose legitimate mail with zero bounce notification.
This is the domain email alias vs mailbox failure pattern. It exists because Google Workspace and Microsoft 365 charge $6–$30 per user per month. That per-seat penalty trained everyone to substitute aliases where they should use mailboxes. They're not the same thing — architecturally or operationally.
This guide is the decision framework: what's different at the protocol level, how each type fails in production, and a clear decision matrix for every address type. For background on how forwarding mechanics work, read the deep-dive on email forwarding: setup, fix, and how it works. If you're choosing between aliases and mailboxes, start here.
What's the Actual Difference Between an Alias and a Mailbox?
A domain email alias is a routing rule. When an MTA receives mail for alias@domain.com, it rewrites the envelope recipient to a destination address and delivers it there. No storage. No credentials. No independent identity. A mailbox is a storage container — dedicated quota, IMAP credentials, a sent folder, and an isolated audit trail. You can log into a mailbox. You cannot log into an alias.
| Feature | Email Alias | Full Mailbox |
|---|---|---|
| SMTP function | RCPT TO rewrite (pointer) | Storage container (endpoint) |
| Can log in via IMAP | No | Yes — dedicated credentials |
| Storage | 0 GB — uses recipient's quota | Dedicated slice of pooled storage |
| Audit trail | Commingled with recipient inbox | Isolated sent/received history |
| Reply identity | Requires "Send As" configuration | Native — defaults to mailbox address |
| SPF with external forwarding | Breaks unless host uses SRS | Not applicable — sends directly |
| Cost (Google Workspace / M365) | Free | $6–$30/user/month |
| Cost (TrekMail) | Included | Included (flat rate per domain) |
Three Ways Aliases Fail in Production
Aliases fail in three predictable patterns: identity leakage on reply, SPF/DMARC authentication failure when forwarding to external addresses, and data loss when the recipient account is deleted. None of these are edge cases. They're the default outcome when you use an alias for work that requires a mailbox.
1. The Reply Identity Leak
You alias support@ to your personal founder@yourdomain.com. A customer emails support@. You hit reply.
Unless you've configured "Send As" correctly, the reply goes out from founder@. The professional channel is gone. The customer now has your direct address and will use it forever.
Getting "Send As" right isn't simple:
- Google Workspace: Add the alias as a secondary address, verify it with a code, uncheck "Treat as an alias" to force the correct Return-Path.
- Microsoft 365: Run
Set-OrganizationConfig -SendFromAliasEnabled $truevia PowerShell, or Outlook attaches "On Behalf Of" headers that expose your primary identity. - Desktop clients (Outlook, Thunderbird): Select the correct From address manually for every single reply. One slip and you're exposed.
With a dedicated support@ mailbox, every reply defaults to support@. No configuration required. No identity to leak.
2. The SPF Forwarding Trap
A common setup: alias contact@yourbusiness.com to forward to a personal Gmail. This is architecturally fragile.
Email authentication standards — SPF (RFC 7208) and DMARC (RFC 7489) — verify that the sending IP is authorized by the domain in the envelope. Forwarding breaks that chain.
The failure sequence when a bank sends to your alias and your alias forwards to Gmail:
- Bank's server sends to
contact@yourbusiness.com. - Your server rewrites the recipient and forwards to
you@gmail.com. - Gmail sees your server's IP in the envelope — not the bank's.
- The bank's SPF record doesn't authorize your server. SPF fails.
- If the bank uses
p=rejectDMARC, Gmail rejects the email entirely.
You'll never know. SPF failures at Gmail don't generate a bounce to you. The email just disappears.
To fix this, your host must implement SRS (Sender Rewriting Scheme), which rewrites the envelope sender so forwarded messages pass SPF at the receiving end:
# Original envelope (bank → your alias)
MAIL FROM: <notifications@bank.com>
RCPT TO: <contact@yourbusiness.com>
# After SRS rewrite (your server → Gmail)
MAIL FROM: <SRS0=hash=TT=bank.com=notifications@yourbusiness.com>
RCPT TO: <you@gmail.com>Without SRS, the MAIL FROM still shows notifications@bank.com — a domain your server isn't authorized to send from. SPF fails at Gmail. Many budget registrars don't support SRS or ARC. The full picture on SPF, DKIM, and DMARC baseline configuration is in our guide on secure email for business.
3. The Bus Factor Problem
You alias billing@ to alice@. Alice manages invoices. Alice leaves. You delete her account.
Immediate consequence: billing@ bounces. Incoming invoices fail. Every billing record from the last three years — inside Alice's mailbox — is gone unless you exported it before deletion.
Keep Alice's account just for the records and you're retaining all her personal HR conversations alongside the invoices. That's a compliance problem with no clean solution.
With a dedicated billing@ mailbox, Alice has delegated access. When she leaves, revoke her access. The mailbox and its full history stay intact. Grant Bob access the same day. Zero downtime. Zero data loss.
Decision Matrix: Alias or Mailbox?
Use a mailbox for any address that will send outbound mail, change hands as staff turns over, need an isolated audit trail, or receive high-volume or business-critical email. Use an alias for low-volume routing, temporary tracking addresses, and simple redirects where you'll never need to search the history or reply professionally.
| Address Type | Recommendation | Why |
|---|---|---|
first.last@ (founder, employee) | Mailbox | Primary identity — needs 2FA, private storage, IMAP sync |
support@, billing@, jobs@ | Mailbox | Role account — clean sent folder, staff handoff, spam isolation |
noreply@ | Mailbox | Transactional sending requires SMTP auth — aliases have no credentials |
info@, media@ | Alias | Low-priority routing — forward to an office manager inbox |
vendor-name@, conf2026@ | Alias | Temporary tracking — delete instantly when spam starts |
*@domain.com (catch-all) | Quarantine mailbox only | Never route to a real user's inbox — invites directory harvest attacks |
The noreply@ Exception
noreply@ looks like a routing address, so the instinct is to make it an alias. Don't. Your application authenticates as an SMTP user to send transactional mail. Aliases have no credentials to authenticate with. You need a real mailbox — you just don't publish the password anywhere or hand it to a person.
The Catch-All Warning
Enable a catch-all and route it to a real inbox, and you're accepting every spam probe, typo, and directory harvest attempt targeting your domain. If you need a catch-all, route it to an isolated junk mailbox. Check it weekly. Never let it touch a user's primary inbox. The domain email setup guide covers how to configure this safely from the start.
Why the Industry Gets This Wrong — and How TrekMail Fixes It
The root cause of bad alias architecture isn't ignorance. It's per-seat pricing. Google Workspace and Microsoft 365 charge per mailbox, which creates a direct financial incentive to use aliases where you need mailboxes. You cut corners to save $6/month and end up with broken reply identity, missing audit trails, and SPF failures you'll never see.
Old way (per-seat): 5 employees + 3 role mailboxes (support, billing, noreply) = 8 seats × $6 = $48/month minimum. So you alias
support@to someone's personal inbox and spend an afternoon fighting "Send As" settings — and it still leaks half the time.TrekMail: Flat rate per domain. Create
support@,billing@, andnoreply@as real isolated mailboxes for $0 extra. They draw from your plan's pooled storage, but they don't trigger a new license fee.
Plans start at $3.50/month (Starter: 50 domains, 15GB pooled storage, 100 mailboxes per domain, managed SMTP included). The Nano plan covers 10 domains, 5GB, and up to 10 mailboxes per domain — no credit card required.
For agencies and MSPs, this changes the client conversation entirely. Provision proper role mailboxes for every client without calculating per-seat costs. When a client needs a new address, you add it. Our guide on multi-domain email hosting at scale covers the operational workflow for managing dozens of client domains from one dashboard.
Quick Reference: When to Use Each
Use a mailbox when the address will:
- Be logged into via IMAP to send and read mail
- Change hands as staff turns over
- Need a clean sent-items folder for audit purposes
- Handle high-volume or business-critical email
- Authenticate to an SMTP server for transactional sending
Use an alias when the address will:
- Route low-priority mail to an existing mailbox
- Be temporary — for event tracking or vendor attribution
- Forward within the same domain only
- Never need a professional reply identity or staff handoff
Bottom Line
Aliases route mail. Mailboxes store, send, and retain it. They're not interchangeable — the only reason operators treat them as interchangeable is per-seat billing pressure. Every story about "emails disappeared when she left" or "replies went out from the wrong address" started with an alias doing a mailbox's job.
Build the right architecture the first time. Mailboxes for every address that matters. Aliases only where the stakes are low. Use a host that doesn't charge you extra for doing it correctly.
See TrekMail plans — flat rate per domain, no per-user fees, 14-day free trial on paid plans.
