Skip to main content
← Back

Why you should use :fail: on cPanel (Exim) server

Stefan Pejcic
Stefan Pejcic
Sentinel Maintainer
· 3 min read

There are sound technical reasons that you should only use :fail: and not :blackhole: on a cPanel server running Exim.
We have conducted extensive testing to establish that this configuration is best, and we outline the reasons here.

The Difference Between :fail: and :blackhole:

In general, both settings discard email not destined for a POP3 account, an alias, or a catchall alias.
However, the way email is discarded differs significantly:

Using :blackhole:

  • The email is accepted and fully received into the server.
  • It is then processed through Exim, and only at delivery time is it written to the null device (/dev/null) and silently ignored.

Problems with :blackhole::

  • Wastes bandwidth as the full email data is downloaded.
  • Wastes server resources (CPU, memory, disk I/O) since Exim processes the email entirely before discarding it.
  • Emails can accumulate in the Exim mail queue, leading to performance degradation and delays in normal mail delivery.
  • Breaks SMTP RFC compliance, as the sending server is not notified that the email was undeliverable.
  • Causes persistent spam buildup in queues, since failed checks (e.g., sender verification) can leave undeliverable emails stuck for days, repeatedly reprocessed.

Using :fail:

  • The email is never accepted into the server.
  • During the initial SMTP negotiation:
    • The sending server issues a RCPT command to specify the recipient.
    • Your server checks whether the recipient exists (POP3 account, alias, or catchall).
    • If it does not exist, your server immediately issues an SMTP DENY, terminating the delivery attempt.

Advantages of :fail::

  • Saves bandwidth, since the message body is never transmitted.
  • Saves server resources, as the message is not processed.
  • Complies with SMTP RFCs, as the sending server receives a proper DENY.
  • No bounce messages are generated by your server.
  • Your server sends nothing to the “From:” address (avoiding backscatter spam).
  • The sending server is responsible for notifying the original sender.

SMTP Conversation Example

Here’s a simplified example of what happens when :fail: is used:

  1. Another SMTP server connects to your server on port 25 and initiates a connection (EHLO).
  2. The sending server specifies the sender (MAIL FROM).
  3. The sending server specifies the recipient (RCPT TO).
  4. Your server checks if the recipient address exists:
    • If not, and if no catchall alias is set with :fail:, your server responds with DENY: 
      Go away, no-one here
  5. The sending server then notifies its own user that delivery failed.

Key point:
Your server does not generate bounce messages or receive the email at all. Only a small SMTP negotiation occurs, conserving resources and ensuring compliance.