Validate Fix: a beginner's guide
Re-run a specific check and report whether the fix applied
Fix validation: did the remediation actually fix the finding?
Fix validation is the discipline of re-running a specific check after the operator believes they've applied the fix, to confirm that the finding actually cleared. It's the small but critical last step in any remediation workflow: a scanner produced a finding, a fix plan ordered it, a record generator produced the exact change to apply, the operator applied the change — and now the question is whether the change worked. Without validation, every remediation ends with "I think I fixed it" rather than "the scan confirms it's fixed," and the ambiguity accumulates. Continuous-monitoring frameworks like NIST SP 800-53 CA-7 treat validation as a required control specifically because unvalidated fixes are indistinguishable from no fix at all.
You should care because a surprising fraction of "fixed" findings aren't actually fixed. The change went to the wrong DNS zone. The DNS cache hasn't propagated yet. The change addressed the symptom but not the underlying mis-configuration. Somebody rolled back the change without telling the ticket-creator. In each of those cases, the finding is still live, but the remediation queue thinks it's closed. Automated fix validation closes that gap by running the specific check again on demand and reporting whether it now passes, without requiring the operator to remember which scanner to re-run.
The four things every fix validation does:
Re-run the specific failing check. Not a full scan — just the one check that originally produced the finding. Faster, cheaper, and isolates the success signal to the exact change being validated.
Compare against the prior failing result. Confirming that the same check that previously returned "failing" now returns "passing" with the same inputs.
Account for propagation delays. DNS changes take minutes to hours to propagate; a validation run too soon after the fix can show stale results. The validator should either wait or advise waiting.
Return a machine-readable pass/fail outcome. So the remediation ticket can be closed automatically when the fix is confirmed, without a human interpreting a prose scan result.
Three questions a fix validation answers:
Did the remediation actually address the finding that triggered the ticket?
If not, is it propagation delay (wait and retry) or a real failure (re-open the ticket)?
Can I close this remediation item with confidence that the underlying issue is resolved?
The cost of skipping fix validation is a remediation queue that gradually fills with items that are marked closed but not actually fixed. The fix is to make validation the required last step of every remediation ticket, automated where possible. The same pattern appears across IT service management: ITIL's incident-resolution process requires a "verify resolution" step for exactly this reason. Applied to DNS and email-security fixes, it produces a closed-loop remediation workflow that can actually be trusted.
The Validate Fix endpoint, in plain language
In one sentence: Re-run a specific check and report whether the fix applied
Given a domain and the check ID of a previously flagged finding (e.g., SPF, DMARC, DKIM, mta-sts, DNSSEC), re-runs that specific check and reports whether the fix appears to have applied. Useful as a post-remediation verification step.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Accepts a domain plus check_id in the set {SPF, DMARC, DKIM, mta-sts, DNSSEC}. Runs that single check and returns fix_status: resolved (no findings of the same severity as before), partial (some findings remain), still_present (all findings remain), or worsened (new or elevated findings). Returns the current check result alongside so callers can see the full post-fix state.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Validate Fix tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
Closes the remediation loop: run scan → generate fix plan → deploy records → validate fix. Teams need machine-readable evidence that a deployed change had the intended effect.
Picture this in real life. Imagine a devops engineer. Here's the situation they're walking into: After deploying an updated SPF (Sender Policy Framework) record, confirm the fix applied before marking the ticket resolved. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Validate Fix tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Validate Fix tool is built for you:
Can I get the entire story about a domain in a single report instead of running ten checks?
What is the single document I would share with my team, my client, or my board?
Where should I focus my next hour of work to make the biggest difference?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Account executives prepping a sales call, agencies producing a monthly client deliverable, investors doing diligence, and founders building a board deck. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you have to assemble the same snapshot by hand every time you need it — which means you stop bothering. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the developer plan. The technical details: `GET /v1/reports/validate-fix`.
When would I actually use this?
If you're still on the fence about whether the Validate Fix tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a devops engineer and a security engineer — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Post-Deploy Verification
Imagine you're a devops engineer. After deploying an updated SPF (Sender Policy Framework) record, confirm the fix applied before marking the ticket resolved.
Why it matters: Eliminate "looks fine" assumption-driven ticket closure.
Story 2: Automated Remediation Pipelines
Imagine you're a security engineer. GitOps pipeline that publishes DNS (Domain Name System) changes can call validate-fix to gate the merge on a successful verification.
Why it matters: DNS (Domain Name System) changes that don't take effect fail the pipeline instead of silently merging.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Validate Fix tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
Right before a sales call, to walk in already knowing the prospect.
For a monthly client status update or executive summary.
During M&A or investor diligence on a target domain.
When you want to share "everything we know about this domain" in a single link.
If you can see yourself in even one of those bullets, the Validate Fix tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Validate Fix tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Validate Fix tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/reports/validate-fix?domain=example.com&type=spf"What you need to provide
You need to provide 2 pieces of information when you call this tool. The table below lays them out side by side, with a real example for each one so you can see exactly what to send.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to re-check | example.com |
type | string | Yes | The check to validate: SPF, DMARC, DKIM, mta-sts, or DNSSEC Allowed values: spf, dmarc, dkim, mta-sts, dnssec | spf |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The queried domain |
check_id | string | The check that was re-run |
fix_status | string | resolved | partial | still_present | worsened |
current_result | object | Current check output (score, grade, findings) |
summary | string | Human-readable one-line fix status |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
DNS (Domain Name System) — The internet's address book. When you type a website name, DNS turns it into the actual numeric address computers use to find each other.
SPF (Sender Policy Framework) — A list, published in your DNS, of which servers are allowed to send email pretending to be you. Helps stop spammers from forging your address.
DKIM (DomainKeys Identified Mail) — A digital signature added to every email you send. The receiving mail server checks the signature to make sure the message really came from you and was not changed in transit.
DMARC (Domain-based Message Authentication, Reporting and Conformance) — An email rulebook you publish in your DNS. It tells receiving servers what to do with email that fails SPF or DKIM checks — ignore it, send it to spam, or block it entirely.
MTA-STS (Mail Transfer Agent Strict Transport Security) — A way to tell other mail servers "always use encryption when sending email to me, and refuse to fall back to unencrypted delivery."
DNSSEC (Domain Name System Security Extensions) — A way to digitally sign DNS records so attackers can't trick your computer into looking up the wrong server.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.