Instead of blocking custom domain email addresses outright, the site could require a secondary recovery email address from an approved provider when an email with a custom domain is used to create the account. Then any security interaction like password reset, or 2fa would go to the primary address and would send an alert to the secondary email address about the nature of the communication. There could be a link in the email (sent to the secondary email address) that could allow the user access to instantly lock the account and/or disable access to the account from the primary email address until the user updates thier settings. The secondary recovery email address should not be able to be changed without an email confirmation (to the secondary email).
Good practice for users in general is to use email services like gmail as thier login/account email and add thier custom domain emails in thier bio.
Good practice for users in general is to use email services like gmail as thier login/account email and add thier custom domain emails in thier bio.