diff --git a/internal/command/instance_domain.go b/internal/command/instance_domain.go
index a0db372c1e..29360f6d8c 100644
--- a/internal/command/instance_domain.go
+++ b/internal/command/instance_domain.go
@@ -2,6 +2,7 @@ package command
 
 import (
 	"context"
+	"regexp"
 	"strings"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
@@ -14,6 +15,10 @@ import (
 	"github.com/zitadel/zitadel/internal/repository/project"
 )
 
+var (
+	allowDomainRunes = regexp.MustCompile("^[a-zA-Z0-9\\.\\-]+$")
+)
+
 func (c *Commands) AddInstanceDomain(ctx context.Context, instanceDomain string) (*domain.ObjectDetails, error) {
 	instanceAgg := instance.NewAggregate(authz.GetInstance(ctx).InstanceID())
 	validation := c.addInstanceDomain(instanceAgg, instanceDomain, false)
@@ -84,6 +89,9 @@ func (c *Commands) addInstanceDomain(a *instance.Aggregate, instanceDomain strin
 		if instanceDomain = strings.TrimSpace(instanceDomain); instanceDomain == "" {
 			return nil, errors.ThrowInvalidArgument(nil, "INST-28nlD", "Errors.Invalid.Argument")
 		}
+		if !allowDomainRunes.MatchString(instanceDomain) {
+			return nil, errors.ThrowInvalidArgument(nil, "INST-S3v3w", "Errors.Instance.Domain.InvalidCharacter")
+		}
 		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
 			domainWriteModel, err := getInstanceDomainWriteModel(ctx, filter, instanceDomain)
 			if err != nil {
diff --git a/internal/command/instance_domain_test.go b/internal/command/instance_domain_test.go
index e2e5ecabb7..6cd03a28ef 100644
--- a/internal/command/instance_domain_test.go
+++ b/internal/command/instance_domain_test.go
@@ -52,6 +52,51 @@ func TestCommandSide_AddInstanceDomain(t *testing.T) {
 				err: caos_errs.IsErrorInvalidArgument,
 			},
 		},
+		{
+			name: "invalid domain ', error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+				),
+			},
+			args: args{
+				ctx:    context.Background(),
+				domain: "hodor's-org.localhost",
+			},
+			res: res{
+				err: caos_errs.IsErrorInvalidArgument,
+			},
+		},
+		{
+			name: "invalid domain umlaut, error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+				),
+			},
+			args: args{
+				ctx:    context.Background(),
+				domain: "bücher.ch",
+			},
+			res: res{
+				err: caos_errs.IsErrorInvalidArgument,
+			},
+		},
+		{
+			name: "invalid domain other unicode, error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+				),
+			},
+			args: args{
+				ctx:    context.Background(),
+				domain: "🦒.ch",
+			},
+			res: res{
+				err: caos_errs.IsErrorInvalidArgument,
+			},
+		},
 		{
 			name: "domain already exists, precondition error",
 			fields: fields{
diff --git a/internal/static/i18n/de.yaml b/internal/static/i18n/de.yaml
index e25aed47e9..d9a8eb7749 100644
--- a/internal/static/i18n/de.yaml
+++ b/internal/static/i18n/de.yaml
@@ -172,6 +172,7 @@ Errors:
     IdpIsNotOIDC: IDP Konfiguration ist nicht vom Typ OIDC
     Domain:
       AlreadyExists: Domäne existiert bereits
+      InvalidCharacter: Nur alphanumerische Zeichen, . und - sind für eine Domäne erlaubt
     IDP:
       InvalidSearchQuery: Ungültiger Suchparameter
     LoginPolicy:
diff --git a/internal/static/i18n/en.yaml b/internal/static/i18n/en.yaml
index ebd1482ddb..01a0bac691 100644
--- a/internal/static/i18n/en.yaml
+++ b/internal/static/i18n/en.yaml
@@ -172,6 +172,7 @@ Errors:
     IdpIsNotOIDC: IDP configuration is not of type oidc
     Domain:
       AlreadyExists: Domain already exists
+      InvalidCharacter: Only alphanumeric characters, . and - are allowed for a domain
     IDP:
       InvalidSearchQuery: Invalid search query
     LoginPolicy:
diff --git a/internal/static/i18n/fr.yaml b/internal/static/i18n/fr.yaml
index 68684e83d8..efab49a8f6 100644
--- a/internal/static/i18n/fr.yaml
+++ b/internal/static/i18n/fr.yaml
@@ -172,6 +172,7 @@ Errors:
     IdpIsNotOIDC: La configuration IDP n'est pas de type oidc
     Domain:
       AlreadyExists: Le domaine existe déjà
+      InvalidCharacter: Seuls les caractères alphanumériques, . et - sont autorisés pour un domaine
     IDP:
       InvalidSearchQuery: Paramètre de recherche non valide
     LoginPolicy:
diff --git a/internal/static/i18n/it.yaml b/internal/static/i18n/it.yaml
index fdd770d103..b8223a2494 100644
--- a/internal/static/i18n/it.yaml
+++ b/internal/static/i18n/it.yaml
@@ -174,6 +174,7 @@ Errors:
       AlreadyExists: Il dominio già esistente
     IDP:
       InvalidSearchQuery: Parametro di ricerca non valido
+      InvalidCharacter: Per un dominio sono ammessi solo caratteri alfanumerici, . e -
     LoginPolicy:
       NotFound: Impostazioni di accesso non trovati
       Invalid: Impostazioni di accesso non sono validi