diff --git a/modules/setting/service.go b/modules/setting/service.go
index 7a907023c4..cc84ac7257 100644
--- a/modules/setting/service.go
+++ b/modules/setting/service.go
@@ -1,9 +1,11 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
+// Copyright 2025 The Forgejo Authors. All rights reserved
 // SPDX-License-Identifier: MIT
 
 package setting
 
 import (
+	"net/url"
 	"regexp"
 	"slices"
 	"strings"
@@ -145,6 +147,20 @@ func LoadServiceSetting() {
 	loadServiceFrom(CfgProvider)
 }
 
+func appURLAsGlob(fqdn string) (glob.Glob, error) {
+	localFqdn, err := url.ParseRequestURI(fqdn)
+	if err != nil {
+		log.Error("Error in EmailDomainAllowList: %v", err)
+		return nil, err
+	}
+	appFqdn, err := glob.Compile(localFqdn.Hostname(), ',')
+	if err != nil {
+		log.Error("Error in EmailDomainAllowList: %v", err)
+		return nil, err
+	}
+	return appFqdn, nil
+}
+
 func loadServiceFrom(rootCfg ConfigProvider) {
 	sec := rootCfg.Section("service")
 	Service.ActiveCodeLives = sec.Key("ACTIVE_CODE_LIVE_MINUTES").MustInt(180)
@@ -164,7 +180,15 @@ func loadServiceFrom(rootCfg ConfigProvider) {
 	if sec.HasKey("EMAIL_DOMAIN_WHITELIST") {
 		deprecatedSetting(rootCfg, "service", "EMAIL_DOMAIN_WHITELIST", "service", "EMAIL_DOMAIN_ALLOWLIST", "1.21")
 	}
-	Service.EmailDomainAllowList = CompileEmailGlobList(sec, "EMAIL_DOMAIN_WHITELIST", "EMAIL_DOMAIN_ALLOWLIST")
+	emailDomainAllowList := CompileEmailGlobList(sec, "EMAIL_DOMAIN_WHITELIST", "EMAIL_DOMAIN_ALLOWLIST")
+
+	if len(emailDomainAllowList) > 0 && Federation.Enabled {
+		appURL, err := appURLAsGlob(AppURL)
+		if err == nil {
+			emailDomainAllowList = append(emailDomainAllowList, appURL)
+		}
+	}
+	Service.EmailDomainAllowList = emailDomainAllowList
 	Service.EmailDomainBlockList = CompileEmailGlobList(sec, "EMAIL_DOMAIN_BLOCKLIST")
 	Service.EmailDomainBlockDisposable = sec.Key("EMAIL_DOMAIN_BLOCK_DISPOSABLE").MustBool(false)
 	if Service.EmailDomainBlockDisposable {
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index c9d30836ac..8350b914c5 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -1,5 +1,6 @@
 // Copyright 2014 The Gogs Authors. All rights reserved.
 // Copyright 2017 The Gitea Authors. All rights reserved.
+// Copyright 2025 The Forgejo Authors. All rights reserved
 // SPDX-License-Identifier: MIT
 
 package setting
@@ -210,6 +211,7 @@ func LoadSettings() {
 	initAllLoggers()
 
 	loadDBSetting(CfgProvider)
+	loadFederationFrom(CfgProvider)
 	loadServiceFrom(CfgProvider)
 	loadOAuth2ClientFrom(CfgProvider)
 	loadCacheFrom(CfgProvider)
@@ -224,7 +226,6 @@ func LoadSettings() {
 	LoadQueueSettings()
 	loadProjectFrom(CfgProvider)
 	loadMimeTypeMapFrom(CfgProvider)
-	loadFederationFrom(CfgProvider)
 	loadF3From(CfgProvider)
 }
 
diff --git a/modules/setting/setting_test.go b/modules/setting/setting_test.go
index f77ee65974..6801844729 100644
--- a/modules/setting/setting_test.go
+++ b/modules/setting/setting_test.go
@@ -1,4 +1,5 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
+// Copyright 2025 The Forgejo Authors. All rights reserved
 // SPDX-License-Identifier: MIT
 
 package setting
@@ -9,6 +10,7 @@ import (
 	"code.gitea.io/gitea/modules/json"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestMakeAbsoluteAssetURL(t *testing.T) {
@@ -30,3 +32,84 @@ func TestMakeManifestData(t *testing.T) {
 	jsonBytes := MakeManifestData(`Example App '\"`, "https://example.com", "https://example.com/foo/bar")
 	assert.True(t, json.Valid(jsonBytes))
 }
+
+func TestLoadServiceDomainListsForFederation(t *testing.T) {
+	oldAppURL := AppURL
+	oldFederation := Federation
+	oldService := Service
+
+	defer func() {
+		AppURL = oldAppURL
+		Federation = oldFederation
+		Service = oldService
+	}()
+
+	cfg, err := NewConfigProviderFromData(`
+[federation]
+ENABLED = true
+[service]
+EMAIL_DOMAIN_ALLOWLIST = *.allow.random
+EMAIL_DOMAIN_BLOCKLIST = *.block.random
+`)
+
+	require.NoError(t, err)
+	loadServerFrom(cfg)
+	loadFederationFrom(cfg)
+	loadServiceFrom(cfg)
+
+	assert.True(t, match(Service.EmailDomainAllowList, "d1.allow.random"))
+	assert.True(t, match(Service.EmailDomainAllowList, "localhost"))
+}
+
+func TestLoadServiceDomainListsNoFederation(t *testing.T) {
+	oldAppURL := AppURL
+	oldFederation := Federation
+	oldService := Service
+
+	defer func() {
+		AppURL = oldAppURL
+		Federation = oldFederation
+		Service = oldService
+	}()
+
+	cfg, err := NewConfigProviderFromData(`
+[federation]
+ENABLED = false
+[service]
+EMAIL_DOMAIN_ALLOWLIST = *.allow.random
+EMAIL_DOMAIN_BLOCKLIST = *.block.random
+`)
+
+	require.NoError(t, err)
+	loadServerFrom(cfg)
+	loadFederationFrom(cfg)
+	loadServiceFrom(cfg)
+
+	assert.True(t, match(Service.EmailDomainAllowList, "d1.allow.random"))
+}
+
+func TestLoadServiceDomainListsFederationEmptyAllowList(t *testing.T) {
+	oldAppURL := AppURL
+	oldFederation := Federation
+	oldService := Service
+
+	defer func() {
+		AppURL = oldAppURL
+		Federation = oldFederation
+		Service = oldService
+	}()
+
+	cfg, err := NewConfigProviderFromData(`
+[federation]
+ENABLED = true
+[service]
+EMAIL_DOMAIN_BLOCKLIST = *.block.random
+`)
+
+	require.NoError(t, err)
+	loadServerFrom(cfg)
+	loadFederationFrom(cfg)
+	loadServiceFrom(cfg)
+
+	assert.Empty(t, Service.EmailDomainAllowList)
+}
diff --git a/modules/validation/email.go b/modules/validation/email.go
index bef816586f..326e93378a 100644
--- a/modules/validation/email.go
+++ b/modules/validation/email.go
@@ -1,5 +1,6 @@
 // Copyright 2016 The Gogs Authors. All rights reserved.
 // Copyright 2020 The Gitea Authors. All rights reserved.
+// Copyright 2024 The Forgejo Authors. All rights reserved
 // SPDX-License-Identifier: MIT
 
 package validation
@@ -100,11 +101,25 @@ func validateEmailDomain(email string) error {
 }
 
 func IsEmailDomainAllowed(email string) bool {
-	if len(setting.Service.EmailDomainAllowList) == 0 {
-		return !isEmailDomainListed(setting.Service.EmailDomainBlockList, email)
-	}
+	return isEmailDomainAllowedInternal(
+		email,
+		setting.Service.EmailDomainAllowList,
+		setting.Service.EmailDomainBlockList)
+}
 
-	return isEmailDomainListed(setting.Service.EmailDomainAllowList, email)
+func isEmailDomainAllowedInternal(
+	email string,
+	emailDomainAllowList []glob.Glob,
+	emailDomainBlockList []glob.Glob,
+) bool {
+	var result bool
+
+	if len(emailDomainAllowList) == 0 {
+		result = !isEmailDomainListed(emailDomainBlockList, email)
+	} else {
+		result = isEmailDomainListed(emailDomainAllowList, email)
+	}
+	return result
 }
 
 // isEmailDomainListed checks whether the domain of an email address
diff --git a/modules/validation/email_test.go b/modules/validation/email_test.go
index e5125a9357..ffdc6fd4ee 100644
--- a/modules/validation/email_test.go
+++ b/modules/validation/email_test.go
@@ -1,4 +1,5 @@
 // Copyright 2017 The Gitea Authors. All rights reserved.
+// Copyright 2024 The Forgejo Authors. All rights reserved
 // SPDX-License-Identifier: MIT
 
 package validation
@@ -65,3 +66,8 @@ func TestEmailAddressValidate(t *testing.T) {
 		})
 	}
 }
+
+func TestEmailDomainAllowList(t *testing.T) {
+	res := IsEmailDomainAllowed("someuser@localhost.localdomain")
+	assert.True(t, res)
+}