diff --git a/src/apps.js b/src/apps.js
index 1b65bf1b9..e1b53c5c1 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -148,6 +148,7 @@ exports = module.exports = {
     _validatePortBindings: validatePortBindings,
     _validateAccessRestriction: validateAccessRestriction,
     _validateUpstreamUri: validateUpstreamUri,
+    _validateLocations: validateLocations,
     _translatePortBindings: translatePortBindings,
     _parseCrontab: parseCrontab,
     _clear: clear
@@ -1288,6 +1289,11 @@ async function validateLocations(locations) {
 
     const domainObjectMap = await domains.getDomainObjectMap();
 
+    const RESERVED_SUBDOMAINS = [
+        constants.SMTP_SUBDOMAIN,
+        constants.IMAP_SUBDOMAIN
+    ];
+
     for (const location of locations) {
         if (!(location.domain in domainObjectMap)) return new BoxError(BoxError.BAD_FIELD, `No such domain in ${location.type} location`);
 
@@ -1297,6 +1303,10 @@ async function validateLocations(locations) {
             subdomain = subdomain.replace(/^\*\./, ''); // remove *.
         }
 
+        if (RESERVED_SUBDOMAINS.indexOf(subdomain) !== -1) return new BoxError(BoxError.BAD_FIELD, `subdomain '${subdomain}' is reserved`);
+
+        if (dns.fqdn(subdomain, location.domain) === settings.dashboardFqdn()) return new BoxError(BoxError.BAD_FIELD, `subdomain '${subdomain}' is reserved`);
+
         const error = dns.validateHostname(subdomain, location.domain);
         if (error) return new BoxError(BoxError.BAD_FIELD, `Bad ${location.type} location: ${error.message}`);
     }
diff --git a/src/dns.js b/src/dns.js
index 3746effa0..936efec62 100644
--- a/src/dns.js
+++ b/src/dns.js
@@ -78,14 +78,6 @@ function validateHostname(subdomain, domain) {
 
     const hostname = fqdn(subdomain, domain);
 
-    const RESERVED_SUBDOMAINS = [
-        constants.SMTP_SUBDOMAIN,
-        constants.IMAP_SUBDOMAIN
-    ];
-    if (RESERVED_SUBDOMAINS.indexOf(subdomain) !== -1) return new BoxError(BoxError.BAD_FIELD, `subdomain '${subdomain}' is reserved`);
-
-    if (hostname === settings.dashboardFqdn()) return new BoxError(BoxError.BAD_FIELD, `subdomain '${subdomain}' is reserved`);
-
     // workaround https://github.com/oncletom/tld.js/issues/73
     const tmp = hostname.replace('_', '-');
     if (!tld.isValid(tmp)) return new BoxError(BoxError.BAD_FIELD, 'Hostname is not a valid domain name');
diff --git a/src/test/apps-test.js b/src/test/apps-test.js
index 01b3b03a2..ed09f086d 100644
--- a/src/test/apps-test.js
+++ b/src/test/apps-test.js
@@ -9,16 +9,32 @@ const apps = require('../apps.js'),
     AuditSource = require('../auditsource.js'),
     BoxError = require('../boxerror.js'),
     common = require('./common.js'),
-    constants = require('../constants.js'),
     expect = require('expect.js'),
     safe = require('safetydance');
 
 describe('Apps', function () {
-    const { domainSetup, cleanup, app, admin, user } = common;
+    const { domainSetup, cleanup, app, admin, user , domain } = common;
 
     before(domainSetup);
     after(cleanup);
 
+    describe('validateLocations', function () {
+        it('does not allow reserved subdomain', async function () {
+            let location = { type: apps.LOCATION_TYPE_ALIAS, subdomain: 'my', domain: domain.domain };
+            expect(await apps._validateLocations([location])).to.be.an(Error);
+        });
+
+        it('does not allow unknown domain', async function () {
+            let location = { type: apps.LOCATION_TYPE_PRIMARY, subdomain: 'my2', domain: domain.domain + 'x' };
+            expect(await apps._validateLocations([location])).to.be.an(Error);
+        });
+
+        it('allows valid locations', async function () {
+            let location = { type: apps.LOCATION_TYPE_SECONDARY, subdomain: 'my2', domain: domain.domain };
+            expect(await apps._validateLocations([location])).to.be(null);
+        });
+    });
+
     describe('validatePortBindings', function () {
         it('does not allow invalid host port', function () {
             expect(apps._validatePortBindings({ port: -1 }, { tcpPorts: { port: 5000 } })).to.be.an(Error);
diff --git a/src/test/dns-test.js b/src/test/dns-test.js
index 5f702d762..cc2910018 100644
--- a/src/test/dns-test.js
+++ b/src/test/dns-test.js
@@ -18,10 +18,6 @@ describe('DNS', function () {
     after(cleanup);
 
     describe('validateHostname', function () {
-        it('does not allow admin subdomain', function () {
-            expect(dns.validateHostname('my', domain)).to.be.an(Error);
-        });
-
         it('cannot have >63 length subdomains', function () {
             const s = Array(64).fill('s').join('');
             expect(dns.validateHostname(s, domain)).to.be.an(Error);