Fix Plan: a beginner's guide

A fix plan is the output of a security or configuration scan expressed as a prioritized action list rather than a raw findings dump. A typical scanner produces a big list of issues — SPF too many includes, DMARC at `p=none`, missing MTA-STS, HSTS max-age too short, two orphan CNAMEs, TLS 1.0 still enabled — with severity flags. A fix plan takes that same list and adds the structure a team actually needs to act on it: which fix to do first, which fixes have to be done before others (you can't enforce DMARC before SPF and DKIM are both correct), how much effort each fix takes, and what the sprint-ready action item looks like. It's the difference between a scanner and a remediation system.

You should care because most scans produce findings that nobody prioritizes, and unprioritized findings don't get fixed. Security teams running a quarterly scan get a PDF with 147 items flagged across the portfolio. Engineering capacity to address them is measured in days per quarter. Without a fix plan, the team picks the easiest items or the most-recently-discussed items or the ones their manager happens to ask about — and the real risk concentration goes unaddressed for another quarter. A fix plan applies OWASP Risk Rating Methodology-style severity × impact math and dependency ordering to produce an objective sequence.

The five inputs every fix plan combines:

• Per-finding severity × impact. A severity-mapping matrix that converts raw scanner findings into numerical priority scores. CVSS 4.0 is the industry-standard scheme for CVE-adjacent findings; category-specific scoring handles DMARC/SPF/TLS mis-configurations.

• Inter-finding dependencies. "Enforce DMARC" depends on "fix SPF failures" and "fix DKIM alignment" — the plan orders them correctly rather than presenting them as parallel items.

• Effort estimates. Rough low/medium/high effort labels so that a sprint planner can fit the work into available capacity.

• Remediation-step descriptions. Concrete "add this TXT record, then wait 24 hours, then change the policy to `quarantine`" instructions rather than abstract "harden DMARC" labels.

• Compact vs. full formatting. A top-5 summary for exec briefings; a full sequence for the team executing the work.

Three questions a fix plan answers:

• Given the findings from my latest scan, what should I fix first?

• Which fixes have prerequisites I need to complete beforehand?

• Can I hand this backlog to a sprint planner without further triage?

The cost of findings without fix plans is the gap between "we ran the scan" and "we fixed the issues." The fix is to treat remediation sequencing as a product of the scan itself — every scanner output should arrive already prioritized, already sequenced, already estimated. The pattern applies across security tooling: SANS's CIS Controls Implementation Groups prescribe ordered rollouts of their control framework for exactly this reason.

In one sentence: Prioritized remediation action list from scan findings

Runs the domain's email-security and DNS-security checks and emits a prioritized remediation action list. Each action carries priority (severity × impact), effort estimate, and dependency relationships — e.g., "fix DMARC (Domain-based Message Authentication, Reporting and Conformance)" requires "fix SPF (Sender Policy Framework)" first. Supports compact (top-5) and full (complete list) formats.

Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.

Here's what's actually happening behind the scenes when you call this endpoint:

Runs SPF (Sender Policy Framework), DMARC (Domain-based Message Authentication, Reporting and Conformance), DKIM (DomainKeys Identified Mail), MTA-STS (Mail Transfer Agent Strict Transport Security), and DNSSEC (Domain Name System Security Extensions) analysis in parallel. Filters out informational findings. Applies a category × severity weight matrix to compute per-finding priority. Maps each finding to an effort estimate (low/medium/high) and inter-category dependency graph. Sorts by priority descending. Returns the ordered action plan with remediation steps, effort, priority score, and predecessor actions that must be completed first.

If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.

Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Fix Plan tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.

Checker tools tell you what's wrong; fix plans tell you what to do next. Security teams running a scan get a laundry list of findings and no sequencing guidance — this endpoint turns raw findings into a sprint-ready backlog prioritized by impact and dependency order.

Picture this in real life. Imagine an email security lead. Here's the situation they're walking into: Quarterly hardening sprint: generate a fix plan per domain and use it as the sprint backlog. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Fix Plan tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.

Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Fix Plan tool is built for you:

• Can I get the entire story about a domain in a single report instead of running ten checks?

• What is the single document I would share with my team, my client, or my board?

• Where should I focus my next hour of work to make the biggest difference?

You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.

Who gets the most out of this. Account executives prepping a sales call, agencies producing a monthly client deliverable, investors doing diligence, and founders building a board deck. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.

What happens if you skip this entirely. Skip it and you have to assemble the same snapshot by hand every time you need it — which means you stop bothering. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.

If you're still on the fence about whether the Fix Plan tool belongs in your toolbox, this section is for you. Below you'll meet three real people — an email security lead, a security manager, and a security consultant — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.

Story 1: Hardening Sprint Planning

Imagine you're an email security lead. Quarterly hardening sprint: generate a fix plan per domain and use it as the sprint backlog.

Why it matters: Convert scan output to actionable, sequenced work items without manual triage.

Story 2: Executive Remediation Reporting

Imagine you're a security manager. Communicate the top 5 email-security actions per domain to leadership without surfacing protocol-level detail.

Why it matters: Compact plan format maps cleanly to executive summaries.

Story 3: Consulting Deliverable

Imagine you're a security consultant. Deliver a prioritized fix plan per domain as a scan-report deliverable to clients.

Why it matters: Repeatable, structured plan output per engagement.

Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Fix Plan tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:

• Right before a sales call, to walk in already knowing the prospect.

• For a monthly client status update or executive summary.

• During M&A or investor diligence on a target domain.

• When you want to share "everything we know about this domain" in a single link.

If you can see yourself in even one of those bullets, the Fix Plan tool will pay for itself the first time you use it.

Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Fix Plan tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.

If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:

"Use the Fix Plan tool to check example.com and explain anything that looks wrong in plain language."

The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.

If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.

You need to provide 2 pieces of information when you call this tool. The table below lays them out side by side, with a real example for each one so you can see exactly what to send.

When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.

These tools pair naturally with Fix Plan. If you're already running this check, the related ones often answer the next question that comes up:

• Website Health — Combined SEO, accessibility, and privacy audit

• Generate DNS Records — Emit ready-to-publish SPF, DMARC, DKIM, and MTA-STS values

• Rollout Plan — Phased timeline for hardening email-auth posture safely

If you're using an AI assistant through MCP (Model Context Protocol), you can ask it to run several of these in one go: "Check Fix Plan and the related tools for example.com and tell me what looks off."

If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.

DNS (Domain Name System) — The internet's address book. When you type a website name, DNS turns it into the actual numeric address computers use to find each other.

SPF (Sender Policy Framework) — A list, published in your DNS, of which servers are allowed to send email pretending to be you. Helps stop spammers from forging your address.

DKIM (DomainKeys Identified Mail) — A digital signature added to every email you send. The receiving mail server checks the signature to make sure the message really came from you and was not changed in transit.

DMARC (Domain-based Message Authentication, Reporting and Conformance) — An email rulebook you publish in your DNS. It tells receiving servers what to do with email that fails SPF or DKIM checks — ignore it, send it to spam, or block it entirely.

MTA-STS (Mail Transfer Agent Strict Transport Security) — A way to tell other mail servers "always use encryption when sending email to me, and refuse to fall back to unencrypted delivery."

DNSSEC (Domain Name System Security Extensions) — A way to digitally sign DNS records so attackers can't trick your computer into looking up the wrong server.