User roles are now fully customizable. Role administrators can define customized roles with precise control over permissions, either for "administrators", "domain administrators", or standard "users" accounts. Options include the ability to change configurations, licensing, hardware settings, or access email continuity features.

Additionally, message permissions can now be assigned based on scan results and message direction, enabling granular control over view and release capabilities.

Domain administrators now have enhanced flexibility with multiple access levels. Administrators with "User Preference" access can manage welcomelist, blocklist and quarantine digest configurations and permissions, as in previous ESG versions. Those with "User Management" access can also fully administer users and valid recipients, while administrators granted "Full Access" can manage all domain-specific settings, including attachment policies, whaling protection, and user management.

Welcomelist and Blocklist now include advanced anti-spoofing measures. Sender domain authentication results for SPF, DKIM, and DMARC—whether successful or failed—are now used to refine the applicability of Welcomelist entries. Additionally, Welcomelist behavior is activated only when all recipients are explicitly listed. Blocklists remain applicable to all recipients, except those explicitly Welcomelisted, who are excluded from evaluations.