Yeah, that wasn't working.
We found the problem, though. If there's no catch-all email address then the first email address is primary and cannot use the domain to log in; my customer was using the standard format for the username of "firstname.lastname@example.org". When we changed that to just "robert" he was able to log in.
DA has some quirks I'm not used to.