diff --git a/rest_registration/utils/users.py b/rest_registration/utils/users.py
index 77063cb..3145acb 100644
--- a/rest_registration/utils/users.py
+++ b/rest_registration/utils/users.py
@@ -167,8 +167,6 @@ def get_user_by_lookup_dict(
     user_class = get_user_model()
     kwargs = {}
     kwargs.update(lookup_dict)
-    if require_verified and verification_enabled and verification_flag_field:
-        kwargs[verification_flag_field] = True
     try:
         queryset = user_class.objects.all()  # type: QuerySet[AbstractBaseUser]
         user = get_object_or_404(queryset, **kwargs)
@@ -177,6 +175,16 @@ def get_user_by_lookup_dict(
             raise UserNotFound() from None
         return default
     else:
+        # the user must be verified if requested and if not superuser
+        if (
+            require_verified
+            and verification_enabled
+            and verification_flag_field
+            and not getattr(user, verification_flag_field)
+            and not user.is_superuser
+        ):
+            raise UserNotFound()
+
         return user
 
 
diff --git a/tests/api/views/register_email/test_verify_email.py b/tests/api/views/register_email/test_verify_email.py
index 9f695e0..d1c3658 100644
--- a/tests/api/views/register_email/test_verify_email.py
+++ b/tests/api/views/register_email/test_verify_email.py
@@ -103,6 +103,54 @@ def test_with_username_as_verification_id_ok(self):
         self.user.refresh_from_db()
         self.assertEqual(self.user.email, self.new_email)
 
+    @override_rest_registration_settings({
+        "REGISTER_VERIFICATION_ENABLED": True,
+        "REGISTER_EMAIL_VERIFICATION_ENABLED": True,
+        'USER_VERIFICATION_FLAG_FIELD': 'is_staff',
+    })
+    def test_with_custom_flag_field_not_verified_superuser_ok(self):
+        # a superuser is created with command createsuperuser
+        # the flag field (here is_staff) is not set
+        self.setup_user()
+        self.user.is_superuser = True
+        self.user.is_staff = False
+        self.user.save()
+
+        signer = RegisterEmailSigner({
+            'user_id': self.user.id,
+            'email': self.new_email,
+        })
+        data = signer.get_signed_data()
+        request = self.create_post_request(data)
+        response = self.view_func(request)
+        self.assert_valid_response(response, status.HTTP_200_OK)
+        self.user.refresh_from_db()
+        self.assertEqual(self.user.email, self.new_email)
+
+    @override_rest_registration_settings({
+        "REGISTER_VERIFICATION_ENABLED": True,
+        "REGISTER_EMAIL_VERIFICATION_ENABLED": True,
+        'USER_VERIFICATION_FLAG_FIELD': 'is_staff',
+    })
+    def test_with_custom_flag_field_not_verified(self):
+        # a normal user is created
+        # the flag field (here is_staff) is not set
+        self.setup_user()
+        self.user.is_staff = False
+        self.user.save()
+        old_email = self.user.email
+
+        signer = RegisterEmailSigner({
+            'user_id': self.user.id,
+            'email': self.new_email,
+        })
+        data = signer.get_signed_data()
+        request = self.create_post_request(data)
+        response = self.view_func(request)
+        self.assert_response_is_bad_request(response)
+        self.user.refresh_from_db()
+        self.assertEqual(self.user.email, old_email)
+
     @override_settings(
         REST_REGISTRATION={
             'REGISTER_EMAIL_VERIFICATION_URL': REGISTER_EMAIL_VERIFICATION_URL,