diff --git a/.env.sample b/.env.sample
index 8a79a2171..50c099999 100644
--- a/.env.sample
+++ b/.env.sample
@@ -20,6 +20,9 @@ SLACK_SECRET=d2dc414f9953226bad0a356cXXXXYYYY
 
 GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
+# Comma separated list of domains to be allowed (optional)
+# If not set, all Google apps domains are allowed by default
+GOOGLE_ALLOWED_DOMAINS=
 
 # Third party credentials (optional)
 SLACK_VERIFICATION_TOKEN=PLxk6OlXXXXXVj3YYYY
diff --git a/server/auth/google.js b/server/auth/google.js
index 7553fe52f..c8f28f51e 100644
--- a/server/auth/google.js
+++ b/server/auth/google.js
@@ -12,6 +12,7 @@ const client = new OAuth2Client(
   process.env.GOOGLE_CLIENT_SECRET,
   `${process.env.URL}/auth/google.callback`
 );
+const allowedDomainsEnv = process.env.GOOGLE_ALLOWED_DOMAINS;
 
 // start the oauth process and redirect user to Google
 router.get('google', async ctx => {
@@ -43,6 +44,13 @@ router.get('google.callback', async ctx => {
     return;
   }
 
+  // allow all domains by default if the env is not set
+  const allowedDomains = allowedDomainsEnv && allowedDomainsEnv.split(',');
+  if (allowedDomains && !allowedDomains.includes(profile.data.hd)) {
+    ctx.redirect('/?notice=hd-not-allowed');
+    return;
+  }
+
   const googleId = profile.data.hd;
   const teamName = capitalize(profile.data.hd.split('.')[0]);
 
diff --git a/server/pages/Home.js b/server/pages/Home.js
index 81c0b90d4..f937cfa6b 100644
--- a/server/pages/Home.js
+++ b/server/pages/Home.js
@@ -10,7 +10,7 @@ import SigninButtons from './components/SigninButtons';
 import { developers, githubUrl } from '../../shared/utils/routeHelpers';
 
 type Props = {
-  notice?: 'google-hd' | 'auth-error',
+  notice?: 'google-hd' | 'auth-error' | 'hd-not-allowed',
   lastSignedIn: string,
   googleSigninEnabled: boolean,
   slackSigninEnabled: boolean,
@@ -38,6 +38,12 @@ function Home(props: Props) {
               try signing in with your company Google account.
             </Notice>
           )}
+          {props.notice === 'hd-not-allowed' && (
+            <Notice>
+              Sorry, your Google apps domain is not allowed. Please try again
+              with an allowed company domain.
+            </Notice>
+          )}
           {props.notice === 'auth-error' && (
             <Notice>
               Authentication failed - we were unable to sign you in at this