Enter your idea

Happy to provide some free consultancy on this. Have run an email hosting service in a London datacentre since 1999, and ran a software development team for 20 years.

Andrew, in a proper implementation the ability to send from a domain is tied to proof of ownership of that domain.

The platform would require DNS verification first, and only the account holder who successfully verifies control of the domain would be permitted to send using it.

Without that verification step, the domain simply can’t be used. Mature SaaS platforms already implement this control as standard practice.

I think there may be some confusion about how domain verification and SMTP authorization actually work in this scenario.

In a properly designed system, granting SMTP or domain-verified sending rights inside one tenant/company should not allow another tenant (including Demo companies) to send mail from that domain. Domain verification is normally tied to DNS ownership, and the verified domain should only be usable within the specific organization that completed that verification.

In other words, if Xero implemented this correctly, a threat actor using a Demo company would not be able to send from my domain unless they also had control of my DNS records or access to my organization. That is the same model used by services like Microsoft 365, SendGrid, Amazon SES, and others.

Because of that, the risk would not come from Demo accounts themselves, but from a misconfiguration, lack of tenant isolation, or improper domain verification controls.

From a security standpoint, allowing verified domain sending is actually more secure than forcing everything through @post.xero.com, because proper SPF, DKIM, and DMARC alignment can be enforced and recipients can validate the sender more reliably.

If there is a concern that Demo environments share the same mail infrastructure without strict separation, then that would be the real issue that needs to be addressed, not the concept of using a verified domain itself.

Adam, I disagree. Read the first line i wrote. We know that threat actors are using DEMO. Therefore, if you give permission to XERO to send via SMTP, you are giving permission to DEMO to send emails under your name.

How many of "SendGrid, Amazon, HubSpot and many others" have a FREE demo account for anyone to use ?

Andrew,

I think there may be a bit of a misunderstanding here.

The suggestion isn't that anyone should be able to send arbitrary email addresses through Xero. The whole point of domain verification is the opposite .... it proves that the sender actually controls the domain they're sending from.

Platforms like SendGrid, Amazon, HubSpot and many others already do this. You add a DNS record to prove ownership of the domain, then configure SPF/DKIM so receiving mail servers can verify the message is legitimate.

Without that verification step, it wouldn’t work in the first place.

The current situation actually has the opposite problem .... invoices arrive from @post.xero.com, which can look less authentic to recipients who expect communication from the company’s own domain….

There is also the reverse. We know that "Threat actors" are using Xero Demo Company to send fake invoices to targets.
Now, you wish to add your email addresses to their reportoire ?

Email should be the second last resort (Postal being last) for communicating invoices.

Gavin highlights one of the main problems. Because so much SPAM email appears to come from post.xero... that people just block them, withoiut any consideration of the impact to suppliers sending invoices.

It also makes it almost impossible for those of us who use Xero to block these spam emails without affecting copies of emails that we send to ourselves from Xero.

Please just enable us to specify an alternate SMTP service, so that we have an alternative. It will also look more professional if our invoices look as if WE sent them, and not an outside agency.

I receive job offers saying they are from Ferrari or Chanel, etc. and when I look at the address, it is a post.xero.com address.

There is no way these places would be offering me a job and they are clearly phishing. The trouble is that I can't flag them as such because it would mess with our billing and payroll. Nightmare.

Letting us send from our domain would be ideal. I can't think of any other platforms we use that don't allow this.

easiest thing in the world to solve.
just allow smtp LIKE EVERY OTHER SERVICE OUT THERE.

get serious or start losing people.
i'm ready to make the jump.

Kelly and the team @ Xero. I'm VERY pleased to see this major problem has now progressed internally at Xero.

From Xero's point of view, the objective is simple. Give customers who want the ability to use their own domain, following proof of ownership of the domain, the ability to send as alias@company-name.com
.

A straightforward domain ownership verification step would prevent abuse. Once verified, users could configure the necessary DNS records (SPF/DKIM/DMARC) to support it.

If there are concerns around support load due to misconfigured mail authentication, the feature could simply be opt-in with a clear disclaimer that configuration of SPF/DKIM/DMARC is the responsibility of the customer.

Businesses that already operate with custom domains typically have access to the resources needed to configure DNS correctly. And for smaller customers or those who prefer simplicity, the existing @post.xero.com option remains perfectly suitable.

In other words, this doesn't need to replace the current system ... just provide a proper option for those who need it.

Ultimately, enabling this would strengthen the authenticity and professionalism of communications sent through Xero.... giving SMEs a small but meaningful professional boost, and making it a clear win for both customers and Xero.

Be bold Xero. Lead on this. It's important.... trust me..... I'm a consulting CISO.

Very good point, Richard Fincher

Glad more people are expressing that their customers are not receiving the invoices.

When i open a ticket Xero acts as if i'm the only one and wants to have a call with me. I told them i am not their beta tester. These problems started happening when they changed the new invoicing. I did not have it before.

This is very annoying to customers when they don't get the recurring invoices, but do get the reminder emails.

Xero send me this:

Please ask your IT department to try this:

Emails sent from Xero usually contain financial information, so can sometimes be incorrectly identified as spam and redirected to junk folders or rejected completely.

It’s also possible that your customer might have marked Xero email addresses as spam or has blocked them.

To resolve this, please ask them to add '@xero.com' and '@post.xero.com' to their email approve list to ensure they receive messages from Xero. Alternatively if their email service provider allows, they can add the following IP Addresses to their allow list:

192.237.159.130
192.237.159.151
192.237.159.187
192.237.159.186
104.130.122.55

If they're still having trouble receiving emails from Xero, we'd recommend that they investigate further with their email service provider.

I've included a link to our support article for more information.

Xero Central article: Contact not receiving an email sent through Xero"

However, the issue still remains, thus we are receiving payments very late because of this issue.

Yes, it only takes one or two people to mark @post.xero.com as spam, (perhaps because a former-supplier whose invoices they're disputing, keeps sending them invoices they don't want to receive), and that impacts on all the rest of us. Plus we ourselves might block this sender, without realising that we are also blocking every other supplier of ours who also happens to use Xero. Imagine if, in the old days, it'd been easy to inadvertently block incoming invoices by post from companies that used Sage Line 50?!

I can't believe this.... my accountant wants me to switch from Zoho Books to Xero and now I find I can't even email my customers properly from the platform?? It's crazy that you haven't fixed this yet.

I had a major client blacklist the @post.xero.com emails as they weren't sure they were legitimate. That was a fun few weeks! Several hundred emails bouncing back, and no one entirely sure why until we had the chance to speak to head office.

QuickBooks already has this, support for Gmail integration for sending invoices through your own Gmail account, not from generic Xero email address.

Would be more personal, professional and functional, as well as supporting record of sent emails (invoices etc) in Gmail sent items. Some services also do not accept emails of invoices unless from a recognised email address, so xero address is rejected.

Totally agree. I didn't mean it was an acceptable solution, it's a cumbersome workaround. Seems like a pretty basic feature to me.

I currently use a service called Paidnice - this allows for Custom Domain settings via CNAME amendments and DKIM settings. I send all my invoices, statements, reminders through their page which links directly to Xero. It's the best i can find to enable all emails to come from my company email address rather than a generic Xero email address. You do have to pay for the service, so frustrating that Xero don't do this but Paidnice are providing a solution that works.

That's OK if you are sending a single invoice, but when doing a large batch, that's not reasonable, and subject to error - Very easy to miss one.

Xero need to FIX the problem.

I currently send invoices and quotes to myself, then send to the customer from my business email directly.