Enter your idea

Tim - I am not a fan of these long trails however the emails certainly are being sent from Xero systems. They match the SPF records exactly. The spammers simply sign up for a xero account and then send the spam.

We investigate these xero fraud emails weekly as a cyber security company, they nearly always match the SPF and DMARC and pass. If you dont know what these are then just take it from me, they are sent from Xero.

I AM not excusing Xero's response so far to this issue, but please remember that the emails are NOT being sent via Xero's systems. Spammers are spoofing the address, and there is NOTHING that Xero can do about that part of the problem.

Obviously, if we are able in the future to send our emails from our own domain, this will mitigate the issue for most larger companies, who have their own domain. However, it will not stop the problem of emails being sent with spoofed addresses, and this will still affect small businesses, who struggle with many IT setup issues.

I own an IT support business, we manage IT and networks for dozens of small businesses in our area. One question I am getting without fail, over and over again, is: "Are there any options for accounting software that aren't Quickbooks?" This email issue is the main thing that keeps me from recommending Xero as it indicates a fundamental lack of understanding by Xero of how basic email security works.

If Xero is this clueless about email, what other security issues are they overlooking?

Kelly - Just FYI I run a small cyber security company. We only support around 2000 people however we have these Xero scams every week from post.xero.com. We have to tell our clients it is an untrusted address. We use a third party paid tool for our invoices syncing to Xero, but it is terrible we see this scams every single week from Xero without fail.

Here's an example of something that looks wrong and shouldn't be happening.

It's an email from xero.com but for a company recruiting for AirBnB by asking to click a link.

To me, this stuff should not come from xero.com, it's what gets our invoices blocked.

I sent 13 invoices to one customer of a client yesterday; if I get through my tasklist today, I'll have sent another 11. Because of the volume of invoices - every contractor is required by their systems to be invoiced separately, and there's a LOT of them - their email systems have automatically flagged message-service@post.xero.com as spam. As a result, I have to send each invoice individually to me, forward individually to the customer (modifying the email to make it look more professional and aligned with my client's brand), and then individually mark each invoice in Xero as sent, to whom, and that delivery and read receipts were enabled.

That's doubling my workload for no benefit to the client. Other than being able to add delivery and read receipts, which I was comfortable foregoing for the ease of invoicing that Xero offered before the domain got flagged.

I'd ask the client's customer to whitelist the domain, but frankly they shouldn't have to.

Happy to provide some free consultancy on this. Have run an email hosting service in a London datacentre since 1999, and ran a software development team for 20 years.

Andrew, in a proper implementation the ability to send from a domain is tied to proof of ownership of that domain.

The platform would require DNS verification first, and only the account holder who successfully verifies control of the domain would be permitted to send using it.

Without that verification step, the domain simply can’t be used. Mature SaaS platforms already implement this control as standard practice.

I think there may be some confusion about how domain verification and SMTP authorization actually work in this scenario.

In a properly designed system, granting SMTP or domain-verified sending rights inside one tenant/company should not allow another tenant (including Demo companies) to send mail from that domain. Domain verification is normally tied to DNS ownership, and the verified domain should only be usable within the specific organization that completed that verification.

In other words, if Xero implemented this correctly, a threat actor using a Demo company would not be able to send from my domain unless they also had control of my DNS records or access to my organization. That is the same model used by services like Microsoft 365, SendGrid, Amazon SES, and others.

Because of that, the risk would not come from Demo accounts themselves, but from a misconfiguration, lack of tenant isolation, or improper domain verification controls.

From a security standpoint, allowing verified domain sending is actually more secure than forcing everything through @post.xero.com, because proper SPF, DKIM, and DMARC alignment can be enforced and recipients can validate the sender more reliably.

If there is a concern that Demo environments share the same mail infrastructure without strict separation, then that would be the real issue that needs to be addressed, not the concept of using a verified domain itself.

Adam, I disagree. Read the first line i wrote. We know that threat actors are using DEMO. Therefore, if you give permission to XERO to send via SMTP, you are giving permission to DEMO to send emails under your name.

How many of "SendGrid, Amazon, HubSpot and many others" have a FREE demo account for anyone to use ?

Andrew,

I think there may be a bit of a misunderstanding here.

The suggestion isn't that anyone should be able to send arbitrary email addresses through Xero. The whole point of domain verification is the opposite .... it proves that the sender actually controls the domain they're sending from.

Platforms like SendGrid, Amazon, HubSpot and many others already do this. You add a DNS record to prove ownership of the domain, then configure SPF/DKIM so receiving mail servers can verify the message is legitimate.

Without that verification step, it wouldn’t work in the first place.

The current situation actually has the opposite problem .... invoices arrive from @post.xero.com, which can look less authentic to recipients who expect communication from the company’s own domain….

There is also the reverse. We know that "Threat actors" are using Xero Demo Company to send fake invoices to targets.
Now, you wish to add your email addresses to their reportoire ?

Email should be the second last resort (Postal being last) for communicating invoices.

Gavin highlights one of the main problems. Because so much SPAM email appears to come from post.xero... that people just block them, withoiut any consideration of the impact to suppliers sending invoices.

It also makes it almost impossible for those of us who use Xero to block these spam emails without affecting copies of emails that we send to ourselves from Xero.

Please just enable us to specify an alternate SMTP service, so that we have an alternative. It will also look more professional if our invoices look as if WE sent them, and not an outside agency.

I receive job offers saying they are from Ferrari or Chanel, etc. and when I look at the address, it is a post.xero.com address.

There is no way these places would be offering me a job and they are clearly phishing. The trouble is that I can't flag them as such because it would mess with our billing and payroll. Nightmare.

Letting us send from our domain would be ideal. I can't think of any other platforms we use that don't allow this.

easiest thing in the world to solve.
just allow smtp LIKE EVERY OTHER SERVICE OUT THERE.

get serious or start losing people.
i'm ready to make the jump.

Kelly and the team @ Xero. I'm VERY pleased to see this major problem has now progressed internally at Xero.

From Xero's point of view, the objective is simple. Give customers who want the ability to use their own domain, following proof of ownership of the domain, the ability to send as alias@company-name.com
.

A straightforward domain ownership verification step would prevent abuse. Once verified, users could configure the necessary DNS records (SPF/DKIM/DMARC) to support it.

If there are concerns around support load due to misconfigured mail authentication, the feature could simply be opt-in with a clear disclaimer that configuration of SPF/DKIM/DMARC is the responsibility of the customer.

Businesses that already operate with custom domains typically have access to the resources needed to configure DNS correctly. And for smaller customers or those who prefer simplicity, the existing @post.xero.com option remains perfectly suitable.

In other words, this doesn't need to replace the current system ... just provide a proper option for those who need it.

Ultimately, enabling this would strengthen the authenticity and professionalism of communications sent through Xero.... giving SMEs a small but meaningful professional boost, and making it a clear win for both customers and Xero.

Be bold Xero. Lead on this. It's important.... trust me..... I'm a consulting CISO.

Very good point, Richard Fincher

Glad more people are expressing that their customers are not receiving the invoices.

When i open a ticket Xero acts as if i'm the only one and wants to have a call with me. I told them i am not their beta tester. These problems started happening when they changed the new invoicing. I did not have it before.

This is very annoying to customers when they don't get the recurring invoices, but do get the reminder emails.

Xero send me this:

Please ask your IT department to try this:

Emails sent from Xero usually contain financial information, so can sometimes be incorrectly identified as spam and redirected to junk folders or rejected completely.

It’s also possible that your customer might have marked Xero email addresses as spam or has blocked them.

To resolve this, please ask them to add '@xero.com' and '@post.xero.com' to their email approve list to ensure they receive messages from Xero. Alternatively if their email service provider allows, they can add the following IP Addresses to their allow list:

192.237.159.130
192.237.159.151
192.237.159.187
192.237.159.186
104.130.122.55

If they're still having trouble receiving emails from Xero, we'd recommend that they investigate further with their email service provider.

I've included a link to our support article for more information.

Xero Central article: Contact not receiving an email sent through Xero"

However, the issue still remains, thus we are receiving payments very late because of this issue.

Yes, it only takes one or two people to mark @post.xero.com as spam, (perhaps because a former-supplier whose invoices they're disputing, keeps sending them invoices they don't want to receive), and that impacts on all the rest of us. Plus we ourselves might block this sender, without realising that we are also blocking every other supplier of ours who also happens to use Xero. Imagine if, in the old days, it'd been easy to inadvertently block incoming invoices by post from companies that used Sage Line 50?!

I can't believe this.... my accountant wants me to switch from Zoho Books to Xero and now I find I can't even email my customers properly from the platform?? It's crazy that you haven't fixed this yet.