diff --git a/dovecot/keyproxy.go b/dovecot/keyproxy.go
index bd8964018eca5b747f7bfd9cdfb4e05e62d1c7da..f140cea2710a5a4daca62559df199262cac8d9ff 100644
--- a/dovecot/keyproxy.go
+++ b/dovecot/keyproxy.go
@@ -80,17 +80,17 @@ func NewKeyLookupProxy(config *Config) (*KeyLookupProxy, error) {
 // Lookup a key using the dovecot dict proxy interface.
 //
 // We can be sent a userdb lookup, or a passdb lookup, and we can tell
-// them apart from the structure of the key:
-//
-// If it contains passwordSep, then it's a passdb lookup and the key
-// consists of 'username' and 'password'. Otherwise, it's a userdb
-// lookup and the key is simply the username.
+// them apart with the key prefix (passdb/ or userdb/).
 func (s *KeyLookupProxy) Lookup(ctx context.Context, key string) (interface{}, bool) {
-	if strings.Contains(key, passwordSep) {
-		kparts := strings.SplitN(key, passwordSep, 2)
+	switch {
+	case strings.HasPrefix(key, "passdb/"):
+		kparts := strings.SplitN(key[7:], passwordSep, 2)
 		return s.lookupPassdb(ctx, kparts[0], kparts[1])
+	case strings.HasPrefix(key, "userdb/"):
+		return s.lookupUserdb(ctx, key[7:])
+	default:
+		return nil, false
 	}
-	return s.lookupUserdb(ctx, key)
 }
 
 func (s *KeyLookupProxy) lookupUserdb(ctx context.Context, username string) (interface{}, bool) {