diff --git a/server/conf.go b/server/conf.go
index 1464379..382a365 100644
--- a/server/conf.go
+++ b/server/conf.go
@@ -12,6 +12,7 @@ type Conf struct {
 	Issuer         string             `json:"issuer"`
 	SsoServices    []issuer.SsoConfig `json:"sso_services"`
 	AllowedClients []AllowedClient    `json:"allowed_clients"`
+	Ownership      DomainOwnership    `json:"ownership"`
 }
 
 type AllowedClient struct {
diff --git a/server/flow.go b/server/flow.go
index 8e9204d..6265404 100644
--- a/server/flow.go
+++ b/server/flow.go
@@ -129,13 +129,16 @@ func (h *HttpServer) flowCallback(rw http.ResponseWriter, req *http.Request, _ h
 		return
 	}
 
-	var needsMailFlag bool
+	var needsMailFlag, needsDomains bool
 
 	ps := claims.NewPermStorage()
 	for _, i := range v.target.Permissions {
 		if strings.HasPrefix(i, "dynamic:") {
-			if i == "dynamic:mail-client" {
+			switch i {
+			case "dynamic:mail-client":
 				needsMailFlag = true
+			case "dynamic:domain-owns":
+				needsDomains = true
 			}
 		} else {
 			ps.Set(i)
@@ -162,6 +165,13 @@ func (h *HttpServer) flowCallback(rw http.ResponseWriter, req *http.Request, _ h
 		}
 	}
 
+	if needsDomains {
+		a := h.conf.Ownership.AllOwns(sub + "@" + v.sso.Config.Namespace)
+		for _, i := range a {
+			ps.Set("domain:owns=" + i)
+		}
+	}
+
 noEmailSupport:
 	nsSub := sub + "@" + v.sso.Config.Namespace
 	ati := uuidNewStringAti()
diff --git a/server/owners.go b/server/owners.go
new file mode 100644
index 0000000..9ff797c
--- /dev/null
+++ b/server/owners.go
@@ -0,0 +1,17 @@
+package server
+
+// DomainOwnership is the structure for storing if a user owns a domain
+type DomainOwnership map[string][]string
+
+func (d DomainOwnership) AllOwns(user string) []string {
+	return d[user]
+}
+
+func (d DomainOwnership) Owns(user, domain string) bool {
+	for _, i := range d[user] {
+		if i == domain {
+			return true
+		}
+	}
+	return false
+}