besides a lot of other security related featuere, I'd like to see implemented in the ESG, one feature stands out: Certificate validation in gerneral and support for DANE in particular.
As we all know the current system of public CAs is nearly completely broken with thousands of illegitimate certificates issued by public CAs because of incompentency, governmental pressure and a host of other reasons. Thus it is an absolute neccessity for users to be able to decide, whose certificates to trust, and for any security device to provide the user with any reasonable and standardized method for certificate validation and the ability to configure and enforce validation and encyrption as needed.
Offering only opportunistic encyrption or easily MITMable encryption without certificate validation is no longer an option.
Therefore, I'd like to propose the following enhancements for the ESG:
1. Support DANE
2. Make certificate valitdaton configurable on a per-domain level for sender and recipient with these options
2.1 Verify and block/quarantine/tag on failure / don't verify
2.2 Verify chain of trust to public CA
2.3 Verify certificate according to DANE DNS records
2.4 Verify certificate by other sensible, standardized means (Certificate Transparency and others come to mind)
3. Perhaps combine certificate validation and other methods of sender authentication like SPF, DKIM, DMARC per domain to a unified settings object in order to streamline configuration and ease administration.