Enter your idea

Ideas page is a waste of time. Consumers never listened to, never prioritised and never actioned. Don't waste your time. It will never happen.

@Dennis, I agree that using a 3rd party is not an ideal solution and Xero should do this natively out of the box.

The solution I have developed is free and the full source code is available to use and contribute to.

As business owners we usually have a company domain which has a website and email configured on it.

If your web host supports .Net 8 (most do), this will work and not cost you as a business anything moving forwards.

As I use Microsoft 365 for my company emails, I have written this to work with it and provided the setup guides on how to configure an app registration to send the emails from your own domain.

I will be looking at adding SMTP functionality next week when I have some time, if anyone has a Google Workspace account and would like to work with me to conduct testing, I would be more than happy to add that ability to the solution, alternatively if you have coding knowledge and can add this yourself, please do so and push the changes back to the repository so others can benefit from this.

Until Xero pull their fingers out and start listening to customers, I suspect this will be the only free option the community can use to send invoices using their own domain.

There are some solutions out there and they will happily charge you a monthly fee to do this.

Since so many people (including myself) have been vocal about how invoices are currently sent from the Xero SaaS platform as being a security concern, I decided to write a solution that solved my needs as well as anyone else who uses Xero and Microsoft 365.

@Adam - yeah I see that now - I read too fast! Sorry about that. Because you're 100% right about the bad actor stuff. We face that phishing threat with our clients from places like Quickbooks, etc with fake invoices and that means post.xero.com is sketchy to some filters. Hopefully we get this feature soon - my cashflow will be much happier

@Mike I see how you might have misread my post, so I’ve just updated it.

Basically, I’m saying that a bad actor could sign up, create fake invoices using a legitimate logo, and send them through Xero’s sending platform - using message-service@post.xero.com - making them appear entirely genuine.

I do not think having to use a 3rd party is what I want to do either as it creates more risk in the email chain and more cost to my business. It should be part of the system we pay for especially since costs per month are going up again. Many on prem and hosted services do this type of function.

Mike - nothing Adam said was incorrect; the two of you are referring to two different ways of doing this.
1) Adam is talking about configuring Xero to send email via a separate SMTP server - this could be a client's own infrastructure or a third party SMTP service (MailGun, SMTP2Go, etc.)
2) You are referring to having Xero send the emails, but utilizing SPF/DKIM/DMARC to authenticate Xero's servers as authorized sending servers.

I think #1 is a better option. #2 would require Xero to take on added responsibility of keeping their mail server "clean", and I doubt they would want to dedicate resources to this.

@Mike.
I think we may be getting wires crossed. I'm really saying two things:

That legitimate email from post.xero.com is properly configured from a DMARC perspective (including SPF and DKIM).

That I agree with you regarding what's needed from both Xero and its customers to support sending from a custom domain.

It’s been a long day - so perhaps I didn’t explain myself clearly. :o)

@Kelly Munro

Lots of activity on this thread as you can see.

Could you please clarify what the “ACCEPTED” status actually means?

Does this indicate that the feature is actively being planned for development (short term), or simply that it’s on the radar for possible future consideration once you have finished what you are working on?

Having this distinction is important — otherwise, “accepted” could mean we’re looking at integration "when we have a chance", which isn’t very reassuring for users dealing with this issue right now.

I fully agree with Adam.

We’re experiencing the same issue right now: we have nearly $30k past due from a client.

When I followed up, their response was: “Oh! Sorry, we tried to find your invoices/statement by searching with your email and couldn’t find it. We thought Xero’s emails were spam or a phishing attempt, so we ignored them.”

Every time this happens, I end up resending the statement from my own email — and, suddenly, we get paid.

Xero, instead of focusing on new AI features (which many of us aren’t even sure how to use yet), please prioritize solving this core issue: email deliverability.

As Adam suggested: simply give us the option to “activate” our domain. Even just providing the necessary DNS entries and a checkbox acknowledging that “Xero isn’t responsible for the SPF/DKIM setup and that this must be handled by my developer/IT/cybersecurity specialist” would be enough.

That’s all we need. Please give us this option.

Sorry - I misread your post. Thought you were saying bad actors could spoof domains. Now I see the direction you were going and yes - it means they posion the post.xero.com domain making it harder for the rest of us.

Multiple platforms do it this all the time. You verify your ownership of a domain by creating SPF and DKIM records (TXT or CNAME), which are required to ensure proper delivery of the email from Xero's servers. Xero would only start sending emails from sales@acme.com once they saw acme.com's owners updated the DNS file AND that they were correct, so the emails can be properly DKIM signed and verified. This is not some unusual request. Tons of platforms (Shopfiy, Zendesk, Hubspot, and so on) already have this capability. Xero should too.

****And why does this really matter?****

Xero offers a 30-day trial with no credit card required. It’s not beyond imagination that a malicious actor could exploit the platform to impersonate a legitimate company and send highly convincing invoices or payment requests - all delivered via Xero’s trusted infrastructure.

>> UPDATED for context: >>>

By using the default Xero Mailer and therefore the generic domain post.xero.com.... the domain we ask our clients to trust <<<

To an unsuspecting recipient, it could look entirely legitimate. I wouldn’t be at all surprised if this has already happened.

By allowing customers to authenticate and send using their own domains, Xero could help prevent abuse and strengthen trust in the platform. It’s not just a feature request - it’s a security control. An very important one.

@Perry Correct me if i'm wrong but that's 4 price increase in the last 5 years

To clarify for anyone confused about DMARC (along with SPF and DKIM): the sending domain post.xero.com is fully DMARC-aligned. It has the recommended policy (p=reject), and the SPF and DKIM records align correctly with the message headers my team and I have reviewed for legitimate emails.

The issue, however, is that clients expect accounting-related emails to come from my company’s domain - not from a generic sender that may or may not appear to be genuinely linked to us. That’s the core limitation I’d like to see improved.

I want to demonstrate that we have control and accountability over the emails we send - and the best way to do that is by using our own domain and brand. This is something many other SaaS platforms already support.

Yes, it’s true that not all Xero customers may be in a position to set up domain authentication - but that’s no reason to deny the option to those of us who are. It should be something we can opt into.

What’s needed from Xero is the ability for customers to send from their own domain, along with a clear setup guide covering how to implement or adjust DMARC (and the supporting SPF/DKIM records). Many SaaS providers offer this - complete with record validation and setup walkthroughs. It’s entirely doable.

It just needs doing.

"but I would assume that would mail through the user's mail account directly"

This is exactly what it did. In the preferences you'd put in your normal SMTP credentials (username, password, ports, etc) as well as the authentication information that you set up on the server. On our web host this takes about 30 seconds to set up (adding a trusted sender to the DNS records).

FWIW, when we were considering a switch to Zoho books, it supported this. It's really incredibly basic stuff for any SAAS service, especially one that just announced they're raising their prices (in the US at least)

The desktop version of Sage, Quickbooks or others usually use a MAPI connection or plugin with outlook on the computer to send emails, some can be configured with SMTP, but it’s been years since I’ve used the desktop versions of the software.

@Perry yes, online. I don't know much about the desktop version but I would assume that would mail through the user's mail account directly/use on-prem servers for relay and therefore benefit from the domain authenticity of that set up.

"I recently moved away from QuickBooks which, incidentally, has the same limitation."

Was that QBO? We used Quickbooks Pro Desktop for 20 years and starting probably 10 years ago they implemented this in the desktop version.

@Perry You said:

"The best solution is for Xero to finally deal with this most basic of user requirements. It's an industry standard and DKIM/SPF support is necessary, now. It's simply not that hard to implement."

Absolutely agree.

As a cyber security consultant, a key part of my role is helping businesses, large and small, improve their email security posture. I routinely advise them on identifying phishing attempts, securing their email domains, and implementing SPF, DKIM, and DMARC properly, especially when adopting complex SaaS platforms.

Then we send them an invoice via Xero - and it arrives from a generic mailer. More often than not, we hear that it wasn’t received, was flagged as suspicious, or ended up quarantined by their mail filters. It undermines our credibility. We look like we’re not following our own advice.

This issue is especially relevant to me now. I recently moved away from QuickBooks which, incidentally, has the same limitation. Furthermore, with the loss of my commercial director (who had a more 'old school' way of working), I’ve been focused on streamlining operations and getting the most out of Xero.

So yes, this is a significant matter. Fortunately, I have the technical expertise to implement a workaround in the short term. But I want to... no, I expect to.... see Xero address this with urgency.

@Perry, I can look at implementing SMTP, this won’t be till next week. It should be a relatively simple fix to test.

The web app I’ve written does not rely on outlook, it’s currently configured to use Microsoft 365 as that’s what my business uses.

I would like to see the project working with as many email providers as possible so it benefits the community.

I totally agree that the best solution would be for Xero to configure their SaaS product to be compliant with industry standards.
DKIM and SPF are great, and most SaaS solutions offer this as standard and have done for years.

While this approach is an interesting one (Marc's setup on Github), it assumes you're using Outlook. We are not, and I suspect a lot of people are not. In our case, our mail is handled by our web host, where we have a dedicated server. So even doing it with google support isn't useful in that case.

The best solution is for Xero to finally deal with this most basic of user requirements. It's an industry standard and DKIM/SPF support is necessary, now. It's simply not that hard to implement.