Enter your idea

@Marc Banyard

I'm interested in this project as both a user and contributor. I run a cyber sec business so I have access to resources that may be useful. You can contact me via the following temp email address: metals.pulleys_8y@icloud.com

It is absolutely possible to implement this with Google, either Workspace, or Free. We already do it on a very small scale, where we email scanned documents directly from our Canon photocopier.

All you have to do is create a security key for your Google workspace account, and use it when you configure the pop and IMAP settings in the 3rd party app, in this case, Xero.

Very easy and still secure.

I see your concern about this, I'm releasing the solution and source code free of charge if anyone wants to try it.

I'm a CTO & CISO and have extensive experience in IT Security, Cyber Security and Software Development.

I wanted to write this to solve my issue, but also wrote it knowing I wanted to give it out free of charge to the community to solve their issue as well.

Anyone who would like to talk about it please reach out and I will be more than happy to run through it with you so you can trial it with a test Xero company and a test M365 environment so put your mind at rest.

If there is anyone else out there who has software knowledge, cyber security knowledge or would like to perform *********** and security testing on the source or compiled code, please let me know as I welcome that as it will help all of us in the community.

I've done my bit by writing the software to solve the issue we are all having because Xero are not interested in implementing it.
It would be great to have other Xero users use it to solve their issue as well, it would be even better to get others to look at the code and see if there are any bits that can be improved or developed further.

Finally it would be great if a cyber security company can test it to confirm its all OK as this will help put everyone's minds at rest.

There is absolutely no way anybody should be putting their financial information through a free email app. Anybody could then harvest your invoice details and use it for scams

Since the topic has quite a bit of traction today, would any of you like to try the web app I wrote to solve the issue we are all experiencing?

Its free, so I'm not trying to generate revenue from this like others have!

I wrote it to solve the issue as Xero have no plans of implementing this as its been an outstanding issue for years now!

The process is straightforward. Anyone interested in using it will need to have Microsoft 365 (business, not personal). While I still need to write the web server setup guide, the setup for Xero and M365 is already complete. The setup is simple, and I've reviewed the AI-generated code thoroughly; everything looks fine (I have extensive experience with open-source projects).

I used AI to create the software to test its feasibility and effectiveness. As with all software, there are no guarantees it will be bug-free (please refer to any software's terms and conditions). However, after extensive testing, I am confident enough to release it to the community and I'm using it myself to send out all invoices and automatic reminders.

To give you some background you will need a Hosting Space with .NET Core 8 (.Net 8) for the mini web app to work, this can be a subdomain or as a virtual directory on your main website.

There is no UI to configure settings as its all triggered with API calls from Xero to trigger the system to request the invoice and email it out via your Microsoft 365 App Registration using a Shared or User mailbox.

Lol their priority was years of investing in a new invoicing nobody asked for, postponing it because of sooooo many bugs which are still visible.
But recurring invoicing and billing are still the same........................"priorities"

@Richard Fincher - spot on.

Up to a certain point in time, a successful startup tries to please their customers. After that point, they try to please their shareholders and investors. After that point, they start preparing the company for sale to a billionaire buyer. You know they've reached this point when you start to see their logo on sport-team shirts, as happened with TeamViewer.

This functionality is not a feature or an enhancement, it’s a basic function of any system that purports to be secure in today’s SaaS market.

Based on the amount of time this is taking, I can only surmise that that Xero’s development team are overstretched and being told to concentrate on coding items that increase revenue. Please Xero, keep your existing customer base happy and less likely to migrate to something else. The response of “We are looking into this and have other priorities” is standard corporate rhetoric, the effect of which is to kick the can down the road and get it off of someone’s desk for a while.

If other companies are making money by selling solutions to gaps in your product, it’s an opportunity for you.

"so, everyone with a gmail, outlook etc account would, do what ?
and yes, there are plenty of businesses that use those services."

The solution here is for Xero to offer the correct way to send emails through the customer's domain using established, industry standard methods, so that invoices that are currently getting flagged as spam or outright blocked because of abuse of post.xero.com by scammers, will get through.

If you're running your business with a gmail address, then you just keep sending it the way you are and take the risk. But the option has to be there for people who care about unhindered communication with their customers through Xero.

Sorry, Didn't see the "Optionally" part of the idea. You are right, you can't lower your standards.

"everyone with a gmail, outlook etc account would, do what" - Simply not turn the feature on? We cant lower our standards to the least capable people using the system. If they cant figure out simply not to turn the feature on then maybe they should not be using the system at all

so, everyone with a gmail, outlook etc account would, do what ?
and yes, there are plenty of businesses that use those services.

Anything in business is difficult if you don't know how, that doesnt mean the option should not be open for companies who have even the most basic competent IT person (its not a hard task).

We are a small cyber security company and we see fraud / spam from xero almost weekly.

Regarding "Sending emails from a cloud environment as another domain would require permissions being granted to xero that many network administrators would find difficult to agree to."

I am a consultant CISO. I can tell you this is standard practice. As organisations move to SaaS platforms, this is exactly what network administrators should support, particularly with the correct use of DKIM and DMARC. In fact, it's MORE secure.

@Andrew Syme: No permissions need to be granted to Xero to make this work. Organisations just need to add the relevant records to their DNS (once implemented by Xero). All control remains with the domain (DNS) owner.

This is standard practice across all good Sass apps.

Sending emails from a cloud environment as another domain would require permissions being granted to xero that many network administrators would find difficult to agree to.

I've just found out today that some of my clients automatically block mail from message-service@post.xero.com because of phishing/spoofing attacks. And as a result our invoices and quotes have not been delivered. This suggestion goes bat to 2013. That's TWELVE years ago.

So the idea is accepted. And what? That's it? Xero accept the problem. Thanks. Come on. This is a FUNDAMENTAL requirement in 2025.

I can imagine why this is not implemented yet.... .. a lot of small businesses, solo traders, etc., may not have the technical capability to deal with domain integrations/DMARC/SPF/DKIM and because of that, XERO backs away given the support implications would be too heavy to deal with.

Using our own domain, with SPF/DKIM when sending really needs to be implemented.

We've had months of client's invoices not being received or put into spam without us knowing, only when we chased missing payments did we find this out was the norm. Severly affected our cashflow as you can imagine.

We've given up sending any correspondence through Xero now and had to resort to printing the invoice or statement as a PDF then manually emailing it, then marking it as send in Xero. Made a big difference to our cashflow, but also costs us a few more hours each week in manual work, not helpful.

We face constant issues getting invoice emails seen by our clients. This is not a huge undertaking. Most outfits are used to adding SPF/DKIM records for things like Shopify, Zendesk, and other platforms that have supported this for some time. This is the only platform in our stack that forces email from a domain other than ours. We will HAPPILY beta test this if you decide to implement it.