If you deliver email to a customer and you notice that it bounces, any account security flows requiring access to that email should be disabled. Additionally, you should never show the full email address or phone number that is being used for an auth challenge. Nonetheless, those defenses will eventually be compromised.

Beyond that, it is not a company problem IMO. One of the most common uses for custom domains is custom email addresses. If a website prevented me from using it, as you propose, I would be flabbergasted.