diff --git a/backend/src/app/email/blacklist.clj b/backend/src/app/email/blacklist.clj
index ca80afb6c9..a07dfccf91 100644
--- a/backend/src/app/email/blacklist.clj
+++ b/backend/src/app/email/blacklist.clj
@@ -36,10 +36,18 @@
                :cause cause)))))
 
 (defn contains?
-  "Check if email is in the blacklist."
+  "Check if email is in the blacklist. Also matches subdomains: if
+  'somedomain.com' is blacklisted, 'xxx@foo.somedomain.com' will also
+  be rejected."
   [{:keys [::email/blacklist]} email]
-  (let [[_ domain] (str/split email "@" 2)]
-    (c/contains? blacklist (str/lower domain))))
+  (let [[_ domain] (str/split email "@" 2)
+        parts      (str/split (str/lower domain) #"\.")]
+    (loop [parts parts]
+      (if (empty? parts)
+        false
+        (if (c/contains? blacklist (str/join "." parts))
+          true
+          (recur (rest parts)))))))
 
 (defn enabled?
   "Check if the blacklist is enabled"
diff --git a/backend/test/backend_tests/email_blacklist_test.clj b/backend/test/backend_tests/email_blacklist_test.clj
new file mode 100644
index 0000000000..5cc043fe32
--- /dev/null
+++ b/backend/test/backend_tests/email_blacklist_test.clj
@@ -0,0 +1,34 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; Copyright (c) KALEIDOS INC
+
+(ns backend-tests.email-blacklist-test
+  (:require
+   [app.email :as-alias email]
+   [app.email.blacklist :as blacklist]
+   [clojure.test :as t]))
+
+(def ^:private cfg
+  {::email/blacklist #{"somedomain.com" "spam.net"}})
+
+(t/deftest test-exact-domain-match
+  (t/is (true?  (blacklist/contains? cfg "user@somedomain.com")))
+  (t/is (true?  (blacklist/contains? cfg "user@spam.net")))
+  (t/is (false? (blacklist/contains? cfg "user@legit.com"))))
+
+(t/deftest test-subdomain-match
+  (t/is (true?  (blacklist/contains? cfg "user@sub.somedomain.com")))
+  (t/is (true?  (blacklist/contains? cfg "user@a.b.somedomain.com")))
+  ;; A domain that merely contains the blacklisted string but is not a
+  ;; subdomain must NOT be rejected.
+  (t/is (false? (blacklist/contains? cfg "user@notsomedomain.com"))))
+
+(t/deftest test-case-insensitive
+  (t/is (true? (blacklist/contains? cfg "user@SOMEDOMAIN.COM")))
+  (t/is (true? (blacklist/contains? cfg "user@Sub.SomeDomain.Com"))))
+
+(t/deftest test-non-blacklisted-domain
+  (t/is (false? (blacklist/contains? cfg "user@example.com")))
+  (t/is (false? (blacklist/contains? cfg "user@sub.legit.com"))))