diff --git a/services/comms/mas-configmap.yaml b/services/comms/mas-configmap.yaml
index 5e6cfdd..9d2c11e 100644
--- a/services/comms/mas-configmap.yaml
+++ b/services/comms/mas-configmap.yaml
@@ -72,7 +72,7 @@ data:
               template: "{{ user.name }}"
             email:
               action: force
-              template: "{{ user.email }}"
+              template: "{{ user.mailu_email }}"
 
     policy:
       data:
diff --git a/services/keycloak/realm-settings-job.yaml b/services/keycloak/realm-settings-job.yaml
index 6e6589d..e94076c 100644
--- a/services/keycloak/realm-settings-job.yaml
+++ b/services/keycloak/realm-settings-job.yaml
@@ -542,6 +542,53 @@ spec:
                           if status not in (201, 204):
                               raise SystemExit(f"Unexpected mailu email mapper create response: {status}")
 
+                      mailu_claim_mapper = {
+                          "name": "mailu-email-claim",
+                          "protocol": "openid-connect",
+                          "protocolMapper": "oidc-usermodel-attribute-mapper",
+                          "consentRequired": False,
+                          "config": {
+                              "user.attribute": "mailu_email",
+                              "claim.name": "mailu_email",
+                              "jsonType.label": "String",
+                              "id.token.claim": "true",
+                              "access.token.claim": "true",
+                              "userinfo.token.claim": "true",
+                              "multivalued": "false",
+                              "aggregate.attrs": "false",
+                          },
+                      }
+                      status, mappers = http_json(
+                          "GET",
+                          f"{base_url}/admin/realms/{realm}/clients/{client_id}/protocol-mappers/models",
+                          access_token,
+                      )
+                      existing_claim = None
+                      if status == 200 and isinstance(mappers, list):
+                          for item in mappers:
+                              if isinstance(item, dict) and item.get("name") == mailu_claim_mapper["name"]:
+                                  existing_claim = item
+                                  break
+                      if existing_claim and existing_claim.get("id"):
+                          mailu_claim_mapper["id"] = existing_claim["id"]
+                          status, _ = http_json(
+                              "PUT",
+                              f"{base_url}/admin/realms/{realm}/clients/{client_id}/protocol-mappers/models/{existing_claim['id']}",
+                              access_token,
+                              mailu_claim_mapper,
+                          )
+                          if status not in (200, 204):
+                              raise SystemExit(f"Unexpected mailu email claim mapper update response: {status}")
+                      else:
+                          status, _ = http_json(
+                              "POST",
+                              f"{base_url}/admin/realms/{realm}/clients/{client_id}/protocol-mappers/models",
+                              access_token,
+                              mailu_claim_mapper,
+                          )
+                          if status not in (201, 204):
+                              raise SystemExit(f"Unexpected mailu email claim mapper create response: {status}")
+
               # Ensure MFA is on by default for newly-created users.
               status, required_actions = http_json(
                   "GET",