diff --git a/coderd/userauth.go b/coderd/userauth.go
index b9d163a6afdac..bb7f0ee64c293 100644
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@@ -960,6 +960,8 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		}
 		userEmailDomain := emailSp[len(emailSp)-1]
 		for _, domain := range api.OIDCConfig.EmailDomain {
+			// Folks sometimes enter EmailDomain with a leading '@'.
+			domain = strings.TrimPrefix(domain, "@")
 			if strings.EqualFold(userEmailDomain, domain) {
 				ok = true
 				break
diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go
index ef62005b9e1f4..bc556fe604ebe 100644
--- a/coderd/userauth_test.go
+++ b/coderd/userauth_test.go
@@ -941,6 +941,30 @@ func TestUserOIDC(t *testing.T) {
 			},
 			StatusCode: http.StatusForbidden,
 		},
+		{
+			Name: "EmailDomainWithLeadingAt",
+			IDTokenClaims: jwt.MapClaims{
+				"email":          "cian@coder.com",
+				"email_verified": true,
+			},
+			AllowSignups: true,
+			EmailDomain: []string{
+				"@coder.com",
+			},
+			StatusCode: http.StatusOK,
+		},
+		{
+			Name: "EmailDomainForbiddenWithLeadingAt",
+			IDTokenClaims: jwt.MapClaims{
+				"email":          "kyle@kwc.io",
+				"email_verified": true,
+			},
+			AllowSignups: true,
+			EmailDomain: []string{
+				"@coder.com",
+			},
+			StatusCode: http.StatusForbidden,
+		},
 		{
 			Name: "EmailDomainCaseInsensitive",
 			IDTokenClaims: jwt.MapClaims{