Enter your idea

@Adam I am sure there are. I was simply sharing another option for anyone on here who might need it. :o)

@Matt there are other solutions and ones that aren't charging more per month than wat Xero is charging

@Tim - I appreciate that 100%. My point was that this request is now almost 13 years old, and nothing has been done, so we decided to find an (ultimately better) alternative.

TLDR; Maybe focus on a solution, instead of ******* your head against a wall, where no one is obviously around to see your ongoing frustration.

@Matt It's great that you were able to develop something, but not everyone has the ability, or the resources to do this. If you are sending large numbers of invoices every day, it might be cost effective, but not for everyone. This is Xero's problem, and they really do not understand the overall impact of the issue.

We "solved" this issue by not sending invoices via Xero. Once an invoice is set to "Approved", it triggers a Make automation, which updates and associated invoice task in our ClickUp central hub, and that's where the invoice PDF then gets sent out to the client.

Whilst I appreciate this needs another tool to work, it has advantages:

- One central source of information
- A tool using our email address to send, which is properly validated in DNS
- Any client replies and further correspondence creates a clear thread in ClickUp

If our invoices do not get through to customers, because they look like spam, then they will not get paid. If companies do not get paid, then they cease to exist. That means that all the time spent developing AI products is completely wasted.

AI is not very important in the overall scheme of things - GETTING PAID IS ! ! AI might make the system look clever to prospective users, but they will soon find the serious problems when they start using it.

FIX THE iMPORTANT ISSUES FIRST ! ! !

It seems that this App mentioned below can send follow-up emails, reminders etc, from your own Domain. But it does not seem to say anywhere in its descriptions that it sends the original invoice / purchase order / remittance from your own Domain.
This is what Xero needs to implement...

@Denym Bird

So we have to pay another service provider more than Xero to do what Xero should be doing already....

In the meantime, it could be worth checking out dedicated Xero apps made to solve this problem for sending from your own domain such as https://apps.xero.com/app/paidnice

Hi Kelly
It is lovely that you are implementing AI features but what's the point when emails from Xero go to junk from us and it is impossible to send from a domain that wont be flagged for spam?
We provide IT Support so our invoices look like phishing when they are legitimate accounts...
Matt

This is the problem in action. Beyond service issues, such phishing is dangerous - and straight through several layers of filtering thanks to Xero's trusted domain.

Ideas for a solution are abundant in this thread. My new idea is for Xero to react constructively to the issues these emails (attached) cause.

Xero currently sends all invoices and quotes from messaging-service@post.xero.com. We can send a custom reply-to email address, but sending from our own address would be much better. The reply-to hack "solution" has 3 major problems

1) Email from post.xero.com is way more likely to be spam filtered than if it was coming from our own email address/infrastructure.

2) Many customers see a quote or invoice come in from messaging-service@post.xero.com and so put that in their CRM for sending PO's and remittance advice. Sometimes their systems do this automatically based on the incoming email. I've missed many purchase orders for this reason.

3) It would look way more professional if our invoices and quotes came from our business email domain instead of xero.com. Many recipients don't know who Xero is and are thus less likely to click through and pay an alleged invoice coming from that address.

Until 2023, Xero offered the ability to connect to Google Workspace/Gmail and send from our own domain through that. I never understood why Xero removed this critical capability, but I hope you'll bring it back. You could even make it more generic (allow users to specify SMTP server + auth) so it will work with far more providers than just Google.

Andrew,

You do not need to single me out. My intent was simply to make sure the issue was reported to the correct department so it can be addressed through the proper channels. If nothing is done after that, then the responsibility falls on them, not on us when our clients are impacted.

I also think the conversation had started to drift into complaints rather than solutions. As IT professionals, it is important that we help guide issues through the correct process instead of just venting in a forum where the people reading may not be the ones who can actually fix the problem. The only reason I spoke up was because of the ongoing complaints and the comment that the individual ran an IT security company. With over 25 years in the IT field, I have rarely seen situations where IT professionals were unwilling to at least try to move an issue forward in a constructive way.

That is why I contacted Xero directly and shared their response, so we could get the discussion back on track and focused on what can actually be done. I was also personally receiving multiple spam messages related to this issue, which is another reason I felt it was worth addressing.

We should be able to use our own domains, and this type of risk is not unique to Xero. QuickBooks has similar limitations, and we see the same types of attacks there as well, including spoofed domains and look-alike registrations. I had a customer recently where a bad actor registered a domain with a single extra letter added in the middle of the name. The customer’s client did not notice the difference, and the issue was only caught after I reviewed the messages. That situation ended up being reported to ICANN after we confirmed the domain was being used maliciously.

My point is that these are real security concerns, and the correct response is to report them through the proper channels so something can actually be done, not just complain about them in a forum.

If you want to single me out, that is your choice, but I will respond when I feel it is necessary to clarify my position.

@Dennis et all

Xero does have a security reporting pathway for reporting Phishing attempts / attacks.
Please use it instead of spamming the emails of all 412 people that have supported this Product Idea.
BTW. This is not a FORUM for back and forward discussion. We can all agree that EMAIL security is a world wide issue that is not readily or easily solved.

Report the Phising and stop the whinging !!

https://www.xero.com/au/security/

100% agree Christopher. I also run an small IT company. Xero know. Xero don't care. Spreading awareness is all you can really do, and that's what you're doing. Thanks!

Once again, I dont work for Xero. If a company specializing in finance (Xero) is stupid enough to allow anybody who signs up for an account to send invoices from the same address as legitimate customers then I am going no further than raising it in their forum. Which I did, and this is that forum. hence you are seeing it. I am not going to spend hundreds of hours trying to tell a company how naughty they are for not doing the job properly. Firstly it wont get anywhere as they already know and secondly I am not a charity for rich global enterprises cutting corners on cyber security.

You seem to think Xero dont know about this, the chances of that are 0%. Xero know, and are not interested as they will claim those defrauded should not have paid an invoice from a shared email address.

This gets treated as any other phishing email does. Marked as fraud to teach the junk filters at Microsoft to block it.

Dennis - I emailed spoofing@xero.com, and got a similar response.

There does seem to be two main issues:-

1. Criminals are setting up Xero for fake companies, and sending out invoices from Xero, in the hope that people will just pay the invoice. This is difficult to stop, unless Xero insists on Companies House Registration details etc when creating an account, but even that can be fudged. Presumably the same thing is happening from Quickbooks and other systems.
Gavin suggested that FREE accounts could possibly have emails sent from a different domain. That might help genuine companies, but the reputation of post.xero.com is probably already irredeemably damaged. The only solution is to enable companies to use their own email server - Something which Xero is apparently very belatedly now looking at.

2. There appear to be random emails that are NOT related to invoices etc, which are being received from what APPEARS to be the Xero domain. If the SPF/DMARC verification is somehow being bypassed, then security@xero.com definitely need to know, and have as much evidence as possible. If the originating server info is being spoofed, that is much more difficult to stop. Again though, if our GENUINE invoice are no longer associated with post.xero.com then it won't matter so much.

@Christopher: What people are asking is that if you can definitively prove that scammers are using the Xero platform to send phishing emails, report it to xero and/or a relevant government authority that will put pressure on Xero to fix this issue. The US government doesn't give a rats *** about this, especially now that it's run by scammers. But the UK government seems to, from what I'm gathering from the other comments. If you don't want to deal with it, share the information so others can.

I have not seen what you're describing, though I have received several phishing emails that were clearly NOT sent through Xero, instead they were spoofing post.xero.com so that it looked like it was coming from there. But the emails themselves had links to sites that were not "in.xero.com" -- the domain That Xero invoices use for viewing/paying an invoice online.

If you are seeing actual, legit emails sent BY xero on behalf of scammers, reporting it is not just a good idea, you should feel obligated to. If you feel no sense of duty to report it, then at minimum it's something you should do simply because it affects your use of the platform. Why should you have to pay for or maintain a third party system to send invoices from ...wait for it... invoicing software.

The fact that this is talked about a lot here a lot is meaningless. I think we all know that Xero doesn't pay attention to this suggestions portal, it's here to make us feel like they are. Other channels, such as reporting Xero to an authority that could actually have an effect on their bottom line, may be the only way to get this problem addressed.

For anyone following this thread, I reached out directly to Xero through their phishing / security reporting channel to ask what the correct escalation path is outside of the forum and normal support tickets.

This is the response I received from Xero’s security team. They confirmed that these reports should be sent to their security team and provided the addresses they want incidents forwarded to so they can investigate and take action:

security@xero.com

They also stated that their security team reviews the headers and takes steps to prevent similar emails being sent in the future when they have enough information to investigate.

Based on that response, there does appear to be a proper escalation path for these cases beyond forum posts, and it sounds like the correct process when these emails are seen is to forward the message with headers to their security team so they can review the tenant or account that sent it.

Putting the issue only in a forum is not really a proper escalation path. A forum is useful for discussion and awareness, but it is still just a complaint thread and may not reach the security team or the people who can actually investigate the problem. In many cases the people reading or replying in the forum are not part of Xero’s security or engineering teams, so the issue may never be reviewed at the level needed to make changes.

I understand the concern about volume, especially if you are seeing a lot of these across multiple clients, but since these messages are coming from Xero’s own sending service and passing SPF / DMARC, this seems like one of the situations where reporting it through their security channel makes more sense than treating it like a normal spam sender.

At least this gives us a confirmed path from Xero on how they want these incidents handled instead of assuming nothing can be done.

We absolutely will correctly mark them as phishing. The security of Xero is not something of my concern, they are not my client and I am here to protect my clients. Xero have been informed many times on this thread anybody can sign up and send invoices from their email address, huge amounts of those invoices are simply pretending to be from other companies. Its really not hard to figure out, and is not technical whatsoever. The fraudsters know many companies use Xero and thus send out fake invoices from Xero accounts, I dont really get whats hard to understand about this? The chances Xero dont know about this are about 0%, they are not interested.

Anybody thinking I am going to spend the next 3 years trying to tell Xero this is a bad idea is absolutely insane, every single reply on this thread tells Xero its a bad idea to let anybody sign up to an account and send invoices from the same email as legitimate clients.

Xero have no interest in this, they just say its not their problem if somebody pays an invoice they shouldnt have.

I dont really see why people think I should make it my life long mission to get Xero to change their mind, rather than just block this Xero address. Why by the way, many other IT / Cyber security providers also block this and its probably the number 1 known fraud address globally as it opens an easy path to payments.

I could sign up to Xero tomorrow with a pretend company and send out invoices and see who pays, its so easy. Like I said, Xero already know. No sympathy for them of people blocking their emails.