diff --git a/packages/hydrooj/package.json b/packages/hydrooj/package.json
index 92307eed..cc9f2c5d 100644
--- a/packages/hydrooj/package.json
+++ b/packages/hydrooj/package.json
@@ -1,6 +1,6 @@
 {
     "name": "hydrooj",
-    "version": "3.4.13",
+    "version": "3.4.14",
     "bin": "bin/hydrooj.js",
     "main": "src/loader",
     "module": "src/loader",
diff --git a/packages/hydrooj/src/handler/user.ts b/packages/hydrooj/src/handler/user.ts
index 788258b2..077b9b5a 100644
--- a/packages/hydrooj/src/handler/user.ts
+++ b/packages/hydrooj/src/handler/user.ts
@@ -381,6 +381,8 @@ class OauthCallbackHandler extends Handler {
             let username = '';
             r.uname = r.uname || [];
             r.uname.push(String.random(16));
+            const mailDomain = r.email.split('@')[1];
+            if (await BlackListModel.get(`mail::${mailDomain}`)) throw new BlacklistedError(mailDomain);
             for (const uname of r.uname) {
                 // eslint-disable-next-line no-await-in-loop
                 const nudoc = await user.getByUname('system', uname);
diff --git a/packages/hydrooj/src/interface.ts b/packages/hydrooj/src/interface.ts
index 90d35ee6..58d71226 100644
--- a/packages/hydrooj/src/interface.ts
+++ b/packages/hydrooj/src/interface.ts
@@ -57,8 +57,8 @@ export interface Setting {
 
 export interface OAuthUserResponse {
     _id: string;
+    email: string;
     avatar?: string;
-    email?: string;
     bio?: string;
     uname?: string[];
     viewLang?: string;
diff --git a/packages/login-with-github/lib.ts b/packages/login-with-github/lib.ts
index a27f6782..23fbc1ec 100644
--- a/packages/login-with-github/lib.ts
+++ b/packages/login-with-github/lib.ts
@@ -1,6 +1,7 @@
 import 'hydrooj';
 
 import superagent from 'superagent';
+import { ForbiddenError } from 'hydrooj/src/error';
 
 declare module 'hydrooj' {
     interface SystemKeys {
@@ -19,7 +20,7 @@ async function get() {
         system.get('login-with-github.id'),
         token.add(token.TYPE_OAUTH, 600, { redirect: this.request.referer }),
     ]);
-    this.response.redirect = `https://github.com/login/oauth/authorize?client_id=${appid}&state=${state}`;
+    this.response.redirect = `https://github.com/login/oauth/authorize?client_id=${appid}&state=${state}&scope=read:user,user:email`;
 }
 
 async function callback({ state, code }) {
@@ -60,8 +61,18 @@ async function callback({ state, code }) {
         uname: [userInfo.body.name, userInfo.body.login],
         avatar: `github:${userInfo.body.login}`,
     };
-    this.response.redirect = s.redirect;
+    if (!ret.email) {
+        const emailInfo = await superagent.get(`${endpoint ? `${endpoint}/api` : 'https://api.github.com'}/user/emails`)
+            .set('User-Agent', 'Hydro-OAuth')
+            .set('Accept', 'application/vnd.github.v3+json')
+            .set('Authorization', `token ${t}`);
+        if (emailInfo.body.length) {
+            ret.email = emailInfo.body.find((e) => e.primary && e.verified).email;
+        }
+    }
     await token.del(s._id, token.TYPE_OAUTH);
+    if (!ret.email) throw new ForbiddenError("You don't have a verified email.");
+    this.response.redirect = (s.redirect || '').endsWith('/login') ? '/' : s.redirect;
     return ret;
 }
 
diff --git a/packages/login-with-github/package.json b/packages/login-with-github/package.json
index 339b3c3c..4e6bd199 100644
--- a/packages/login-with-github/package.json
+++ b/packages/login-with-github/package.json
@@ -1,6 +1,6 @@
 {
     "name": "@hydrooj/login-with-github",
-    "version": "0.1.3",
+    "version": "0.1.4",
     "main": "package.json",
     "repository": "git@github.com:hydro-dev/Hydro.git",
     "author": "undefined <i@undefined.moe>",