diff --git a/src/inttest/java/com/faforever/api/data/DomainBlacklistTest.java b/src/inttest/java/com/faforever/api/data/DomainBlacklistTest.java
new file mode 100644
index 000000000..d75d80e07
--- /dev/null
+++ b/src/inttest/java/com/faforever/api/data/DomainBlacklistTest.java
@@ -0,0 +1,87 @@
+package com.faforever.api.data;
+
+import com.faforever.api.AbstractIntegrationTest;
+import org.junit.Test;
+import org.springframework.security.test.context.support.WithUserDetails;
+import org.springframework.test.context.jdbc.Sql;
+import org.springframework.test.context.jdbc.Sql.ExecutionPhase;
+
+import static org.hamcrest.Matchers.hasSize;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@Sql(executionPhase = ExecutionPhase.BEFORE_TEST_METHOD, scripts = "classpath:sql/prepDefaultUser.sql")
+@Sql(executionPhase = ExecutionPhase.BEFORE_TEST_METHOD, scripts = "classpath:sql/prepDomainBlacklistData.sql")
+@Sql(executionPhase = ExecutionPhase.AFTER_TEST_METHOD, scripts = "classpath:sql/cleanDomainBlacklistData.sql")
+public class DomainBlacklistTest extends AbstractIntegrationTest {
+  private static final String NEW_DOMAIN = "{\"data\":{\"type\":\"domainBlacklist\",\"id\":\"google.com\"}}";
+
+  @Test
+  @WithUserDetails(AUTH_USER)
+  public void emptyResultDomainBlacklistAsUser() throws Exception {
+    mockMvc.perform(get("/data/domainBlacklist"))
+      .andExpect(status().isOk())
+      .andExpect(content().string("{\"data\":[]}"));
+  }
+
+  @Test
+  @WithUserDetails(AUTH_USER)
+  public void cannotReadSpecificDomainBlacklistAsUser() throws Exception {
+    mockMvc.perform(get("/data/domainBlacklist/spam.org"))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  @WithUserDetails(AUTH_MODERATOR)
+  public void canReadDomainBlacklistAsModerator() throws Exception {
+    mockMvc.perform(get("/data/domainBlacklist"))
+      .andExpect(status().isOk())
+      .andExpect(jsonPath("$.data", hasSize(1)));
+  }
+
+  @Test
+  @WithUserDetails(AUTH_MODERATOR)
+  public void canReadSpecificDomainBlacklistAsModerator() throws Exception {
+    mockMvc.perform(get("/data/domainBlacklist/spam.org"))
+      .andExpect(status().isOk());
+  }
+
+
+  @Test
+  @WithUserDetails(AUTH_USER)
+  public void cannotCreateDomainBlacklistAsUser() throws Exception {
+    mockMvc.perform(
+      post("/data/domainBlacklist")
+        .content(NEW_DOMAIN))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  @WithUserDetails(AUTH_MODERATOR)
+  public void canCreateDomainBlacklistAsModerator() throws Exception {
+    mockMvc.perform(
+      post("/data/domainBlacklist")
+        .content(NEW_DOMAIN))
+      .andExpect(status().isCreated());
+  }
+
+  @Test
+  @WithUserDetails(AUTH_USER)
+  public void cannotDeleteDomainBlacklistAsUser() throws Exception {
+    mockMvc.perform(
+      delete("/data/domainBlacklist/spam.org"))
+      .andExpect(status().isForbidden());
+  }
+
+  @Test
+  @WithUserDetails(AUTH_MODERATOR)
+  public void canDeleteDomainBlacklistAsModerator() throws Exception {
+    mockMvc.perform(
+      delete("/data/domainBlacklist/spam.org"))
+      .andExpect(status().isNoContent());
+  }
+}
diff --git a/src/inttest/resources/sql/cleanDomainBlacklistData.sql b/src/inttest/resources/sql/cleanDomainBlacklistData.sql
new file mode 100644
index 000000000..8afc07cb6
--- /dev/null
+++ b/src/inttest/resources/sql/cleanDomainBlacklistData.sql
@@ -0,0 +1 @@
+DELETE FROM email_domain_blacklist;
diff --git a/src/inttest/resources/sql/prepDomainBlacklistData.sql b/src/inttest/resources/sql/prepDomainBlacklistData.sql
new file mode 100644
index 000000000..d84931cae
--- /dev/null
+++ b/src/inttest/resources/sql/prepDomainBlacklistData.sql
@@ -0,0 +1,2 @@
+DELETE FROM email_domain_blacklist;
+INSERT INTO email_domain_blacklist VALUES ('spam.org');
diff --git a/src/main/java/com/faforever/api/data/domain/DomainBlacklist.java b/src/main/java/com/faforever/api/data/domain/DomainBlacklist.java
index 437a0e520..df49c02c4 100644
--- a/src/main/java/com/faforever/api/data/domain/DomainBlacklist.java
+++ b/src/main/java/com/faforever/api/data/domain/DomainBlacklist.java
@@ -1,6 +1,11 @@
 package com.faforever.api.data.domain;
 
+import com.faforever.api.data.checks.permission.IsModerator;
+import com.yahoo.elide.annotation.CreatePermission;
+import com.yahoo.elide.annotation.DeletePermission;
 import com.yahoo.elide.annotation.Include;
+import com.yahoo.elide.annotation.ReadPermission;
+import com.yahoo.elide.annotation.UpdatePermission;
 import lombok.EqualsAndHashCode;
 import lombok.Setter;
 
@@ -12,7 +17,11 @@
 @Entity
 @Setter
 @Table(name = "email_domain_blacklist")
-@Include(type = "domainBlacklist")
+@Include(type = "domainBlacklist", rootLevel = true)
+@ReadPermission(expression = IsModerator.EXPRESSION)
+@UpdatePermission(expression = IsModerator.EXPRESSION)
+@CreatePermission(expression = IsModerator.EXPRESSION)
+@DeletePermission(expression = IsModerator.EXPRESSION)
 @EqualsAndHashCode
 public class DomainBlacklist {
   private String domain;
diff --git a/src/main/resources/config/application.yml b/src/main/resources/config/application.yml
index 2513ba20d..0a3e6357f 100644
--- a/src/main/resources/config/application.yml
+++ b/src/main/resources/config/application.yml
@@ -5,7 +5,7 @@ faf-api:
   challonge:
     key: ${CHALLONGE_KEY:}
   database:
-    schema-version: ${DATABASE_SCHEMA_VERSION:44}
+    schema-version: ${DATABASE_SCHEMA_VERSION:46}
 
 spring:
   application: