diff --git a/changes/21813-email-err b/changes/21813-email-err
new file mode 100644
index 0000000000..a9d25ecc21
--- /dev/null
+++ b/changes/21813-email-err
@@ -0,0 +1,2 @@
+- Fixed regression: we now check if the email used to get a signed CSR is invalid (i.e. is an email
+  from a free email provider).
\ No newline at end of file
diff --git a/frontend/pages/admin/IntegrationsPage/cards/MdmSettings/AppleMdmPage/components/modals/RenewCertModal/RenewCertModal.tsx b/frontend/pages/admin/IntegrationsPage/cards/MdmSettings/AppleMdmPage/components/modals/RenewCertModal/RenewCertModal.tsx
index f596e8574c..8d71e91817 100644
--- a/frontend/pages/admin/IntegrationsPage/cards/MdmSettings/AppleMdmPage/components/modals/RenewCertModal/RenewCertModal.tsx
+++ b/frontend/pages/admin/IntegrationsPage/cards/MdmSettings/AppleMdmPage/components/modals/RenewCertModal/RenewCertModal.tsx
@@ -65,7 +65,13 @@ const RenewCertModal = ({
   const onDownloadError = useCallback(
     // eslint-disable-next-line @typescript-eslint/no-unused-vars
     (e: unknown) => {
-      renderFlash("error", "Something's gone wrong. Please try again.");
+      const msg = getErrorReason(e);
+
+      if (msg.toLowerCase().includes("email address is not valid")) {
+        renderFlash("error", msg);
+      } else {
+        renderFlash("error", "Something's gone wrong. Please try again.");
+      }
     },
     [renderFlash]
   );
diff --git a/server/service/integration_mdm_test.go b/server/service/integration_mdm_test.go
index f8b3fb6790..61d25d5459 100644
--- a/server/service/integration_mdm_test.go
+++ b/server/service/integration_mdm_test.go
@@ -1329,6 +1329,14 @@ func (s *integrationMDMTestSuite) TestGetMDMCSR() {
 	require.Len(t, errResp.Errors, 1)
 	require.Contains(t, errResp.Errors[0].Reason, "FleetDM CSR request failed")
 
+	// Check that we return bad request if the website API does (it will do this in case of an
+	// invalid email address
+	s.FailNextCSRRequestWith(http.StatusUnprocessableEntity)
+	errResp = validationErrResp{}
+	s.DoJSON("GET", "/api/latest/fleet/mdm/apple/request_csr", getMDMAppleCSRRequest{}, http.StatusUnprocessableEntity, &errResp)
+	require.Len(t, errResp.Errors, 1)
+	require.Contains(t, errResp.Errors[0].Reason, "this email address is not valid")
+
 	// Invalid APNS cert upload attempt
 	s.uploadDataViaForm("/api/latest/fleet/mdm/apple/apns_certificate", "certificate", "certificate.pem", []byte("invalid-cert"), http.StatusUnprocessableEntity, "Invalid certificate. Please provide a valid certificate from Apple Push Certificate Portal.", nil)
 
diff --git a/server/service/mdm.go b/server/service/mdm.go
index 294d503d81..7a06c015cd 100644
--- a/server/service/mdm.go
+++ b/server/service/mdm.go
@@ -2351,6 +2351,16 @@ func (svc *Service) GetMDMAppleCSR(ctx context.Context) ([]byte, error) {
 	if err != nil {
 		var fwe apple_mdm.FleetWebsiteError
 		if errors.As(err, &fwe) {
+			// From svc.RequestMDMAppleCSR: fleetdm.com returns a bad request here if the email is invalid.
+			if fwe.Status >= 400 && fwe.Status <= 499 {
+				return nil, ctxerr.Wrap(
+					ctx,
+					fleet.NewInvalidArgumentError(
+						"email_address",
+						fmt.Sprintf("this email address is not valid: %v", err),
+					),
+				)
+			}
 			return nil, ctxerr.Wrap(
 				ctx,
 				fleet.NewUserMessageError(