diff --git a/coderd/userauth.go b/coderd/userauth.go
index 188a877e51..a028ebf4c2 100644
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@@ -929,15 +929,23 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 
 	if len(api.OIDCConfig.EmailDomain) > 0 {
 		ok = false
+		emailSp := strings.Split(email, "@")
+		if len(emailSp) == 1 {
+			httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
+				Message: fmt.Sprintf("Your email %q is not in domains %q!", email, api.OIDCConfig.EmailDomain),
+			})
+			return
+		}
+		userEmailDomain := emailSp[len(emailSp)-1]
 		for _, domain := range api.OIDCConfig.EmailDomain {
-			if strings.HasSuffix(strings.ToLower(email), strings.ToLower(domain)) {
+			if strings.EqualFold(userEmailDomain, domain) {
 				ok = true
 				break
 			}
 		}
 		if !ok {
 			httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
-				Message: fmt.Sprintf("Your email %q is not in domains %q !", email, api.OIDCConfig.EmailDomain),
+				Message: fmt.Sprintf("Your email %q is not in domains %q!", email, api.OIDCConfig.EmailDomain),
 			})
 			return
 		}
diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go
index db23432440..4432710c28 100644
--- a/coderd/userauth_test.go
+++ b/coderd/userauth_test.go
@@ -798,6 +798,17 @@ func TestUserOIDC(t *testing.T) {
 			"kwc.io",
 		},
 		StatusCode: http.StatusOK,
+	}, {
+		Name: "EmailDomainSubset",
+		IDTokenClaims: jwt.MapClaims{
+			"email":          "colin@gmail.com",
+			"email_verified": true,
+		},
+		AllowSignups: true,
+		EmailDomain: []string{
+			"mail.com",
+		},
+		StatusCode: http.StatusForbidden,
 	}, {
 		Name:          "EmptyClaims",
 		IDTokenClaims: jwt.MapClaims{},