diff --git a/libadlin/domain.go b/libadlin/domain.go
index 3941c72..1c33dc4 100644
--- a/libadlin/domain.go
+++ b/libadlin/domain.go
@@ -11,15 +11,23 @@ var (
 )
 
 func (student *Student) MyDelegatedDomainSuffix() string {
+	if student.DelegatedDomain != nil {
+		for _, ddomain := range DelegatedDomainSuffixes {
+			if strings.HasSuffix(*student.DelegatedDomain, ddomain) {
+				return ddomain
+			}
+		}
+	}
+
 	return DelegatedDomainSuffixes[int(student.Id)%len(DelegatedDomainSuffixes)]
 }
 
 func (student *Student) MyDelegatedDomain() string {
 	if student.DelegatedDomain != nil {
 		return *student.DelegatedDomain
-	} else {
-		return fmt.Sprintf("%s.%s", strings.Trim(strings.Replace(student.Login, "_", "-", -1), "-_"), student.MyDelegatedDomainSuffix())
 	}
+
+	return fmt.Sprintf("%s.%s", strings.Trim(strings.Replace(student.Login, "_", "-", -1), "-_"), student.MyDelegatedDomainSuffix())
 }
 
 func (student *Student) MyAssociatedDomainSuffix() string {
@@ -33,9 +41,9 @@ func (student *Student) DefaultAssociatedDomain() string {
 func (student *Student) MyAssociatedDomain() string {
 	if student.AssociatedDomain != nil {
 		return *student.AssociatedDomain
-	} else {
-		return student.DefaultAssociatedDomain()
 	}
+
+	return student.DefaultAssociatedDomain()
 }
 
 func (student *Student) GetAssociatedDomains() (ds []string) {
diff --git a/token-validator/auth.go b/token-validator/auth.go
index 93cbaf2..8dfd0f2 100644
--- a/token-validator/auth.go
+++ b/token-validator/auth.go
@@ -30,6 +30,15 @@ func init() {
 }
 
 func validateAuthToken(s *adlin.Student, _ httprouter.Params, _ []byte) (interface{}, error) {
+	if s.DelegatedDomain != nil {
+		for _, ddomain := range adlin.DelegatedDomainSuffixes {
+			if strings.HasSuffix(*s.DelegatedDomain, ddomain) {
+				s.DelegatedDomain = nil
+				break
+			}
+		}
+	}
+
 	return s, nil
 }
 
diff --git a/token-validator/domain.go b/token-validator/domain.go
index ea463de..81ed821 100644
--- a/token-validator/domain.go
+++ b/token-validator/domain.go
@@ -89,6 +89,14 @@ func init() {
 			return true, nil
 		} else {
 			ns := dns.Fqdn(ue.NS)
+
+			// Ensure ns doesn't belong to one of our domain
+			for _, ddomain := range adlin.DelegatedDomainSuffixes {
+				if strings.HasSuffix(ns, ddomain) {
+					return nil, fmt.Errorf("Vous ne pouvez pas vous créer une délégation vers ce sous-domaine: interdit par l'administrateur.")
+				}
+			}
+
 			student.DelegatedDomain = &ns
 
 			if _, err := student.Update(); err != nil {