Enter your idea

@Marc I've just followed you on GitHub, took a clone of the repo and done a quick scan of the code. Without testing it, looks okay to me on initial pass. I'll review it with my team next few days and have a go at implementing in our MS tenant.

I've got some further ideas to assist with deployment, pre-req checks etc. Will share feedback/contribute via GitHub.

Perhaps the Xero development team could take note....

@Jonathan Fortin
Oh so more people have this issue, they acted as if im the only one
I have raised this issue several times with Xero since launching the new invoicing that our customers are not receiving the invoices.
Long term customers that have always received it. But Xero keeps pushing for a call to waste my time instead of fixing their **** show behind their screen that they created with the changes they made.
I told them several times i am not a beta tester and i refuse to troubleshoot with them over the phone wasting my valuable time while they dont even listen to any users here on the forum, we never asked a new invoicing and the millions of bugs that came with it

Technically it doesn't handle any data as it relies completely on Xero sending a webhook to the webapp (either a website or virtual directory on an existing website), then it communicates with Xero on a very restricted set of claims to get the PDF of the invoice and email it as an attachment along with the link to it on the Xero platform.

It then sends it out via your email (this is the biggest pain point we all have with Xero), it even sends invoice reminders.

I would love feedback from anyone once they have conducted a security audit on it.

@Marc & @Adam

Since Xero doesn’t seem to care about this basic feature, I’m really interested in what you’re doing. We run a marketing agency, and I’m so tired of clients saying they never got the invoice or statement.

Was thinking about automating something through N8N or Zapier but that would be better.

Yeah, we’d need a security audit for this since it’s going to handle sensitive data.

@Adam, I've just sent an email, but its bounced back.

I have pushed the code to a public repo for anyone that would like to use it.
https://github.com/MarcBanyard/XeroMailerWeb

The compiled code is available here
https://github.com/MarcBanyard/XeroMailerWeb/releases/download/v1.0.0/XeroMailerWeb.v1.0.0.zip

I'm happy to help get Google Workspace or Google Enterprise working with it, I didn't implement it as I didn't have an account to test with and don't use it personally.

If you are able to, please contribute to the code on GitHub.

If anyone would like to *********** test the code, it would be amazing if you could share the results with the community as this will help us all which is why I released the code to the public for free.

@Marc Banyard

I'm interested in this project as both a user and contributor. I run a cyber sec business so I have access to resources that may be useful. You can contact me via the following temp email address: metals.pulleys_8y@icloud.com

It is absolutely possible to implement this with Google, either Workspace, or Free. We already do it on a very small scale, where we email scanned documents directly from our Canon photocopier.

All you have to do is create a security key for your Google workspace account, and use it when you configure the pop and IMAP settings in the 3rd party app, in this case, Xero.

Very easy and still secure.

I see your concern about this, I'm releasing the solution and source code free of charge if anyone wants to try it.

I'm a CTO & CISO and have extensive experience in IT Security, Cyber Security and Software Development.

I wanted to write this to solve my issue, but also wrote it knowing I wanted to give it out free of charge to the community to solve their issue as well.

Anyone who would like to talk about it please reach out and I will be more than happy to run through it with you so you can trial it with a test Xero company and a test M365 environment so put your mind at rest.

If there is anyone else out there who has software knowledge, cyber security knowledge or would like to perform *********** and security testing on the source or compiled code, please let me know as I welcome that as it will help all of us in the community.

I've done my bit by writing the software to solve the issue we are all having because Xero are not interested in implementing it.
It would be great to have other Xero users use it to solve their issue as well, it would be even better to get others to look at the code and see if there are any bits that can be improved or developed further.

Finally it would be great if a cyber security company can test it to confirm its all OK as this will help put everyone's minds at rest.

There is absolutely no way anybody should be putting their financial information through a free email app. Anybody could then harvest your invoice details and use it for scams

Since the topic has quite a bit of traction today, would any of you like to try the web app I wrote to solve the issue we are all experiencing?

Its free, so I'm not trying to generate revenue from this like others have!

I wrote it to solve the issue as Xero have no plans of implementing this as its been an outstanding issue for years now!

The process is straightforward. Anyone interested in using it will need to have Microsoft 365 (business, not personal). While I still need to write the web server setup guide, the setup for Xero and M365 is already complete. The setup is simple, and I've reviewed the AI-generated code thoroughly; everything looks fine (I have extensive experience with open-source projects).

I used AI to create the software to test its feasibility and effectiveness. As with all software, there are no guarantees it will be bug-free (please refer to any software's terms and conditions). However, after extensive testing, I am confident enough to release it to the community and I'm using it myself to send out all invoices and automatic reminders.

To give you some background you will need a Hosting Space with .NET Core 8 (.Net 8) for the mini web app to work, this can be a subdomain or as a virtual directory on your main website.

There is no UI to configure settings as its all triggered with API calls from Xero to trigger the system to request the invoice and email it out via your Microsoft 365 App Registration using a Shared or User mailbox.

Lol their priority was years of investing in a new invoicing nobody asked for, postponing it because of sooooo many bugs which are still visible.
But recurring invoicing and billing are still the same........................"priorities"

@Richard Fincher - spot on.

Up to a certain point in time, a successful startup tries to please their customers. After that point, they try to please their shareholders and investors. After that point, they start preparing the company for sale to a billionaire buyer. You know they've reached this point when you start to see their logo on sport-team shirts, as happened with TeamViewer.

This functionality is not a feature or an enhancement, it’s a basic function of any system that purports to be secure in today’s SaaS market.

Based on the amount of time this is taking, I can only surmise that that Xero’s development team are overstretched and being told to concentrate on coding items that increase revenue. Please Xero, keep your existing customer base happy and less likely to migrate to something else. The response of “We are looking into this and have other priorities” is standard corporate rhetoric, the effect of which is to kick the can down the road and get it off of someone’s desk for a while.

If other companies are making money by selling solutions to gaps in your product, it’s an opportunity for you.

"so, everyone with a gmail, outlook etc account would, do what ?
and yes, there are plenty of businesses that use those services."

The solution here is for Xero to offer the correct way to send emails through the customer's domain using established, industry standard methods, so that invoices that are currently getting flagged as spam or outright blocked because of abuse of post.xero.com by scammers, will get through.

If you're running your business with a gmail address, then you just keep sending it the way you are and take the risk. But the option has to be there for people who care about unhindered communication with their customers through Xero.

Sorry, Didn't see the "Optionally" part of the idea. You are right, you can't lower your standards.

"everyone with a gmail, outlook etc account would, do what" - Simply not turn the feature on? We cant lower our standards to the least capable people using the system. If they cant figure out simply not to turn the feature on then maybe they should not be using the system at all

so, everyone with a gmail, outlook etc account would, do what ?
and yes, there are plenty of businesses that use those services.

Anything in business is difficult if you don't know how, that doesnt mean the option should not be open for companies who have even the most basic competent IT person (its not a hard task).

We are a small cyber security company and we see fraud / spam from xero almost weekly.

Regarding "Sending emails from a cloud environment as another domain would require permissions being granted to xero that many network administrators would find difficult to agree to."

I am a consultant CISO. I can tell you this is standard practice. As organisations move to SaaS platforms, this is exactly what network administrators should support, particularly with the correct use of DKIM and DMARC. In fact, it's MORE secure.