diff --git a/wfe2/wfe.go b/wfe2/wfe.go
index efe2c6d08..8c2b1e1b2 100644
--- a/wfe2/wfe.go
+++ b/wfe2/wfe.go
@@ -167,6 +167,8 @@ type WebFrontEndImpl struct {
 	// descriptions (perhaps including URLs) of those profiles. NewOrder
 	// Requests with a profile name not present in this map will be rejected.
 	certProfiles map[string]string
+
+	pa *policy.AuthorityImpl
 }
 
 // NewWebFrontEndImpl constructs a web service for Boulder
@@ -193,6 +195,7 @@ func NewWebFrontEndImpl(
 	unpauseSigner unpause.JWTSigner,
 	unpauseJWTLifetime time.Duration,
 	unpauseURL string,
+	pa *policy.AuthorityImpl,
 ) (WebFrontEndImpl, error) {
 	if len(issuerCertificates) == 0 {
 		return WebFrontEndImpl{}, errors.New("must provide at least one issuer certificate")
@@ -210,6 +213,10 @@ func NewWebFrontEndImpl(
 		return WebFrontEndImpl{}, errors.New("must provide a service for nonce redemption")
 	}
 
+	if pa == nil {
+		return WebFrontEndImpl{}, errors.New("must provide a policy authority")
+	}
+
 	wfe := WebFrontEndImpl{
 		log:                logger,
 		clk:                clk,
@@ -233,6 +240,7 @@ func NewWebFrontEndImpl(
 		unpauseSigner:      unpauseSigner,
 		unpauseJWTLifetime: unpauseJWTLifetime,
 		unpauseURL:         unpauseURL,
+		pa:                 pa,
 	}
 
 	return wfe, nil
@@ -681,7 +689,7 @@ func (wfe *WebFrontEndImpl) contactsToEmails(contacts []string) ([]string, error
 			return nil, berrors.InvalidEmailError("contact email contains non-ASCII characters")
 		}
 
-		err = policy.ValidEmail(parsed.Opaque)
+		err = wfe.pa.ValidEmail(parsed.Opaque)
 		if err != nil {
 			return nil, err
 		}
@@ -2332,7 +2340,7 @@ func (wfe *WebFrontEndImpl) NewOrder(
 	idents = identifier.Normalize(idents)
 	logEvent.Identifiers = idents
 
-	err = policy.WellFormedIdentifiers(idents)
+	err = wfe.pa.WellFormedIdentifiers(idents)
 	if err != nil {
 		wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "Invalid identifiers requested"), nil)
 		return