diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
index 5e8790d20..c7aa8a713 100644
--- a/cmd/cert-checker/main.go
+++ b/cmd/cert-checker/main.go
@@ -110,6 +110,7 @@ type certChecker struct {
 	acceptableValidityDurations map[time.Duration]bool
 	lints                       lint.Registry
 	logger                      blog.Logger
+	skipForbiddenDomains        bool
 }
 
 func newChecker(saDbMap certDB,
@@ -120,6 +121,7 @@ func newChecker(saDbMap certDB,
 	avd map[time.Duration]bool,
 	lints lint.Registry,
 	logger blog.Logger,
+	sfd bool,
 ) certChecker {
 	precertGetter := func(ctx context.Context, serial string) ([]byte, error) {
 		precertPb, err := sa.SelectPrecertificate(ctx, saDbMap, serial)
@@ -141,6 +143,7 @@ func newChecker(saDbMap certDB,
 		acceptableValidityDurations: avd,
 		lints:                       lints,
 		logger:                      logger,
+		skipForbiddenDomains:        sfd,
 	}
 }
 
@@ -438,14 +441,16 @@ func (c *certChecker) checkCert(ctx context.Context, cert *corepb.Certificate) (
 			problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err))
 			continue
 		}
-		// For defense-in-depth, even if the PA was willing to issue for a name
-		// we double check it against a list of forbidden domains. This way even
-		// if the hostnamePolicyFile malfunctions we will flag the forbidden
-		// domain matches
-		if forbidden, pattern := isForbiddenDomain(name); forbidden {
-			problems = append(problems, fmt.Sprintf(
-				"Policy Authority was willing to issue but domain '%s' matches "+
-					"forbiddenDomains entry %q", name, pattern))
+		if !c.skipForbiddenDomains {
+			// For defense-in-depth, even if the PA was willing to issue for a name
+			// we double check it against a list of forbidden domains. This way even
+			// if the hostnamePolicyFile malfunctions we will flag the forbidden
+			// domain matches
+			if forbidden, pattern := isForbiddenDomain(name); forbidden {
+				problems = append(problems, fmt.Sprintf(
+					"Policy Authority was willing to issue but domain '%s' matches "+
+						"forbiddenDomains entry %q", name, pattern))
+			}
 		}
 	}
 	for _, name := range parsedCert.IPAddresses {
@@ -534,9 +539,10 @@ type Config struct {
 
 		Workers int `validate:"required,min=1"`
 		// Deprecated: this is ignored, and cert checker always checks both expired and unexpired.
-		UnexpiredOnly  bool
-		BadResultsOnly bool
-		CheckPeriod    config.Duration
+		UnexpiredOnly        bool
+		BadResultsOnly       bool
+		SkipForbiddenDomains bool
+		CheckPeriod          config.Duration
 
 		// AcceptableValidityDurations is a list of durations which are
 		// acceptable for certificates we issue.
@@ -599,6 +605,8 @@ func main() {
 		acceptableValidityDurations[ninetyDays] = true
 	}
 
+	skipForbiddenDomains := config.CertChecker.SkipForbiddenDomains
+
 	// Validate PA config and set defaults if needed.
 	cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
 	cmd.FailOnError(config.PA.CheckIdentifiers(), "Invalid PA configuration")
@@ -642,6 +650,7 @@ func main() {
 		acceptableValidityDurations,
 		lints,
 		logger,
+		skipForbiddenDomains,
 	)
 	fmt.Fprintf(os.Stderr, "# Getting certificates issued in the last %s\n", config.CertChecker.CheckPeriod)