Settings and activity
33 results found
-
415 votes
Hi team, we appreciate the on-going support and feedback we're receiving on this idea and pleased to be able to share this update. Our product team are actively exploring how we can best solve for the needs raised here, although at this time are unable to provide any set timeframes.
They are very much aware of the appetite from our community on this, and as part of their exploration have reached out some users here as they gather insights.
For the time being we'll shift to In discovery and I'll return as soon as there is more on this to share.
An error occurred while saving the comment An error occurred while saving the comment 
Dennis Seyersdahl
commented
For anyone following this thread, I reached out directly to Xero through their phishing / security reporting channel to ask what the correct escalation path is outside of the forum and normal support tickets.
This is the response I received from Xero’s security team. They confirmed that these reports should be sent to their security team and provided the addresses they want incidents forwarded to so they can investigate and take action:
They also stated that their security team reviews the headers and takes steps to prevent similar emails being sent in the future when they have enough information to investigate.
Based on that response, there does appear to be a proper escalation path for these cases beyond forum posts, and it sounds like the correct process when these emails are seen is to forward the message with headers to their security team so they can review the tenant or account that sent it.
Putting the issue only in a forum is not really a proper escalation path. A forum is useful for discussion and awareness, but it is still just a complaint thread and may not reach the security team or the people who can actually investigate the problem. In many cases the people reading or replying in the forum are not part of Xero’s security or engineering teams, so the issue may never be reviewed at the level needed to make changes.
I understand the concern about volume, especially if you are seeing a lot of these across multiple clients, but since these messages are coming from Xero’s own sending service and passing SPF / DMARC, this seems like one of the situations where reporting it through their security channel makes more sense than treating it like a normal spam sender.
At least this gives us a confirmed path from Xero on how they want these incidents handled instead of assuming nothing can be done.
An error occurred while saving the comment Dennis Seyersdahl
commented
Can Xero clarify what escalation path you recommend for reporting suspected fraud or platform abuse outside of the normal support ticket process?
Forum discussions and standard tickets don’t always reach the team responsible for security review, and in cases where emails are being sent through Xero’s messaging service and passing SPF / DMARC, it would be helpful to know the correct channel to report this so it can be reviewed by the appropriate security or abuse team.
If there is a dedicated contact, abuse address, or incident-response process that partners and IT providers should use for situations like this, please provide that information so these reports can be submitted through the proper path instead of only being raised in forum threads.
An error occurred while saving the comment Dennis Seyersdahl
commented
Christopher,
Complaints on the forum by themselves don’t fix the underlying issue, I agree with that. My point was that if the concern is serious enough that you are blocking an entire vendor sending domain across client environments, then the discussion should move beyond forum posts and into a proper escalation path with the vendor. Forum threads are useful for awareness, but they are not the same as reporting a security incident through the channels vendors use for abuse, fraud, or incident response.
If Xero truly considers the behavior expected, then the right place to challenge that is through their security or abuse reporting process, not just community discussions. Most platforms have a separate escalation path for fraud, spoofing, or platform abuse that goes beyond normal support tickets, and that is typically how these kinds of issues actually get reviewed by the people who can make changes.
From my side, the reason I questioned this is because blocking an entire service like post.xero.com at the client level treats the symptom but does not address the source. I understand why you would do it to protect clients in the short term, but long-term that approach just shifts the problem instead of resolving it. Blocking symptoms without reporting the cause does not improve security, it just moves the problem somewhere else.
An error occurred while saving the comment Dennis Seyersdahl
commented
I also want to address the comment about “virtue signaling,” because that does not apply to what I said. Virtue signaling is when someone makes a statement purely to appear morally superior or to gain approval, without any real intent to solve the problem. That is not what I am doing here. My response was based on standard incident-handling practice that we use in the IT industry every day.
When a system is believed to be insecure, compromised, or being abused to send messages, the normal process is to notify the source with enough technical detail for them to investigate. That is not trying to fix the world, and it is not trying to make a point — it is simply how root-cause resolution works. We do this regularly when other companies’ tenants, mail systems, or domains are used to send malicious or suspicious messages to our clients. We contact their IT or security team, provide headers/logs, and let them handle it on their side.
In this case, the concern raised was about Xero’s sending platform. If that platform is considered insecure or untrustworthy, then reporting the behavior to the vendor with the data you already have would be the normal and professional step, especially for a company that provides IT security services. That is not virtue signaling — that is basic escalation and responsible handling of a security concern.
It may also make sense to ask Xero what escalation path they recommend for security-related incidents outside of normal support, so situations like this can be reported through the proper channel instead of only working through standard ticketing. Most vendors have abuse, security, or incident response contacts specifically for this reason.
I agree that our priority is to protect our own clients, and we do the same. But part of protecting clients is addressing the source when possible, not only putting local restrictions in place and leaving the underlying issue unresolved. Blocking symptoms without reporting the cause does not improve security, it just moves the problem somewhere else, and increases the chance that the same issue will continue to affect other companies as well.
An error occurred while saving the comment Dennis Seyersdahl
commented
Christopher,
As an IT services provider myself, I deal with these situations regularly. When one of my clients receives suspicious or malicious emails from another company, I contact that company directly to let them know their account has likely been compromised so they can correct the issue on their end. Once notified, the expectation is that their IT or security team takes ownership of the problem, investigates the breach, secures the account, and confirms that the threat has been contained.
In this case, since you are not contacting Xero directly, they may not even be aware that their system or domain is being used in a way that is causing issues for others. As an IT security company, you are in a position to provide them with message headers, logs, timestamps, and other technical details that most normal businesses would not know how to gather or send. Sharing that information is part of responsible incident handling and helps stop the problem at the source instead of only working around it.
While I agree that we should be able to use our own domain without restrictions, the lack of ownership being taken here is concerning. When a security-focused IT provider sees activity that appears malicious or compromised, the standard practice is to notify the source, provide the evidence, and work to have the root cause corrected. Simply blocking or refusing communication without escalating it to the affected vendor does not resolve the underlying issue and allows the problem to continue.
From our side, we will continue to secure our environment as needed, but the responsibility for reporting and working with the sending platform falls on the party that identified the security concern, especially when that party is an IT security provider.
An error occurred while saving the comment Dennis Seyersdahl
commented
I think there may be some confusion about how domain verification and SMTP authorization actually work in this scenario.
In a properly designed system, granting SMTP or domain-verified sending rights inside one tenant/company should not allow another tenant (including Demo companies) to send mail from that domain. Domain verification is normally tied to DNS ownership, and the verified domain should only be usable within the specific organization that completed that verification.
In other words, if Xero implemented this correctly, a threat actor using a Demo company would not be able to send from my domain unless they also had control of my DNS records or access to my organization. That is the same model used by services like Microsoft 365, SendGrid, Amazon SES, and others.
Because of that, the risk would not come from Demo accounts themselves, but from a misconfiguration, lack of tenant isolation, or improper domain verification controls.
From a security standpoint, allowing verified domain sending is actually more secure than forcing everything through @post.xero.com, because proper SPF, DKIM, and DMARC alignment can be enforced and recipients can validate the sender more reliably.
If there is a concern that Demo environments share the same mail infrastructure without strict separation, then that would be the real issue that needs to be addressed, not the concept of using a verified domain itself.
An error occurred while saving the comment Dennis Seyersdahl
commented
I do not think having to use a 3rd party is what I want to do either as it creates more risk in the email chain and more cost to my business. It should be part of the system we pay for especially since costs per month are going up again. Many on prem and hosted services do this type of function.
An error occurred while saving the comment Dennis Seyersdahl
commented
As an MSP that uses Xero one of my customers employees received several Online Crypto Purchase Invoices coming from Xero email accounts. He does not do Crypto for 1. Secondly these are phishing emails using messaging.service@post.xero.com.
This is why we need our own ability to use our own domain to send out these messages.
If Xero is going to take any responsibility and Liability for someone clicking on a bad link or paying for an unknown invoice, then keeps the domain as Xero. I will be happy to have the attorneys that received this fight this battle. It was a law firm that received several of these messages I attached so other users can see what they received.
I appear "Bad Actors" are now trying to use Xero to fool people into paying for Crypto using Xero. Invoices. Xero either knows about this and is investigating the issue or no one has mentioned it to them and are unaware about this issue. I am assuming nothing is being said from Xero about this yet as they are investigating.
Xero you can reach out to me directly if you need to. But if I start losing customers because of this I will take legal means to hold you accountable for all money's lost and future estimated costs.
An error occurred while saving the comment Dennis Seyersdahl
commented
I've used Zoho products before and my experience was great at first then customer service became a nightmare, and prices increased a lot, and development stopped listening and negotiations of pricing became difficult. Unfortunately, this is not on a Zoho or any other application. Which is why I go with Customer Service as a high number is calculating what products I refer and use. I was more upset than people on any of the Xero boards. Also, Xero is just getting started in the US compared to Europe. It is much bigger platform there vs here and so much better than QuickBooks even with the things it needs to develop.
I do agree we should have the option to use our own domains as a way to send out invoices, quotes, etc..
Dennis Seyersdahl
supported this idea
·
An error occurred while saving the comment Dennis Seyersdahl
commented
Add an option for us to add a company email address to send from within the system using user name/password authentication. This could be from a system such as Microsoft 365. This could be an integration with a company's Microsoft 365 system.
-
474 votes
Hi team, work for requesting and accept deposit payments has progressed well. We're now just entering the stage of rolling out a solution powered by Stripe to a limited group of users.
As mentioned in my last update - we're extremely grateful to our community here, who have shared their interest and provided feedback on how deposits in invoicing would meet your needs. We'd love to hear your feedback on our developments for this feature early and have included anyone that has voted on this idea and is connected to Stripe in the first group rollout - You'll receive a banner in your organisation on how to make use of this soon.
I'll share more again here as the rollout widens. Thanks!
An error occurred while saving the comment Dennis Seyersdahl
commented
Why should we pay for a third party to do something that should be done already in the SW? That makes no sense. I get the connection but that only works for a limited amount of customer base.
Kelly we need more information on what the plans are on rollout if connecting to stripe is the first part then is the end goal to have it work without stripe as well?
I have started this last year to take down payments because the orders of HW are so large. These customers only pay with check and not with a payment system.
Dennis Seyersdahl
supported this idea
·
-
89 votes
Hi team, thank you for your continued feedback and we understand the importance of this change for some customers (especially everyone that's voted here). I want to assure you that the ability to add and a save addresses in the new Purchase orders experience is in the works and our product team are aiming to release this within the next couple of months. As soon as there are further updates I'll share news with you here.
Dennis Seyersdahl
supported this idea
·
-
14 votes
Hi team, rounding back we wanted to provide another update as work is moving along well for enabling auto sales tax in Quotes.
We are aiming to have this available for you all the the next couple of months!
I'll come back to share as this feature goes live.
An error occurred while saving the comment Dennis Seyersdahl
commented
I sat down with the quote team recently and they are working on this. I agree this is a hassle.
An error occurred while saving the comment Dennis Seyersdahl
commented
Jennifer,
That is one reason I opened this.The others are that I have to make sure that I have the correct taxing not only for repeating invoices but also for my quotes. It takes so much more time that having to use the AutoTax feature. It is such a great feature when used but it feels like it was poorly implemented meaning only partially done. If they could add this to both repeating invoices and quotes it would be such a time saver. I would assume it should take only a small amount of programming to link it to these areas.
Dennis Seyersdahl
supported this idea
·
An error occurred while saving the comment Dennis Seyersdahl
commented
Repeating Invoices to have complete the auto tax feature implementation
-
81 votes
An error occurred while saving the comment Dennis Seyersdahl
commented
I would like to see the ability to group or package items together for a single line item with custom description. As I am growing my business, I am finding that this will be most helpful so I can have a line item that incorporates many products into 1 product but have the ability to track or see how much is being sold individually as many products will be in different packages.
Dennis Seyersdahl
supported this idea
·
-
8 votesDennis Seyersdahl
shared this idea
·
-
23 votes
Rounding back on the idea here it sounds like using non tracked inventory could be a solution.
In Products and services you can add items and enter a Purchase price and a Sales price for the same item.
This means you can add the marked up price for Sales and when you select the item in Quotes or Invoices this price will be reflected for the line item.
Alternatively, you could add a discount to lines of your invoice if there is a general amount or % by which you would mark up items.
Keen to hear your feedback for these options.
An error occurred while saving the comment Dennis Seyersdahl
commented
Kelly Munro (Admin, Xero) as this may seem like a work around it is easier to add a markup to show how much one wants to mark up a product. Although, the feature would have to have a way to show a discount to the user. Some users I mark up more than others due to several factors. One being risk of payment taking too long. I want my customers to see the MSRP so that they know how much I am saving them. It is important to show them these costs. It is what keeps them coming back. And I like to track items. They do not need to see the markup cost, but the translated Discount percentage from the MSRP from the markup.
Dennis Seyersdahl
supported this idea
·
-
178 votesDennis Seyersdahl
supported this idea
·
-
144 votes
Hi everyone, we wanted to loop back on the outcome of the survey we did. Our product team have used this feedback, and looked into building this feature but at this stage want to confirm that this work is not currently on our roadmap.
As a global business with many requests for our different regions and needs, we are not able to build everything at once.
We appreciate this is not the news you’d like around this but do want to be upfront with you all here to help you make the best decisions as needed for your businesses. If things change, we’ll communicate this with you through the idea here.
Dennis Seyersdahl
supported this idea
·
-
407 votes
Hey team, thanks for all your input on partial asset disposal.
We understand that manually managing parts of an asset can be time-consuming. While we don't have plans at this time to develop a built-in feature, your feedback's really helpful in showing us where things could improve.
For now, manual methods to calculate depreciation and record journal entries to keep things accurate would be the best option.
However, this is a feature that we'd like to revisit as we plan our future roadmaps, and will be happy to share if there is any traction around this. Please keep sharing this idea with any colleagues you feel could benefit from this too.
Dennis Seyersdahl
supported this idea
·
-
1,372 votes
Thanks for your continued engagement and valuable feedback on this long-standing idea, everyone. We've been carefully reviewing your comments and want to acknowledge the clear sentiment of frustration regarding the current limitations around managing multiple addresses for contacts, particularly for invoicing and delivery purposes, and that this is a critical feature to many of you.
We want to share an update on our progress here - We're pleased to confirm that the foundational work for handling multiple addresses has been completed within the Contacts area of Xero. This was a crucial first step. Building on this, now that all customers are on the new invoicing experience our product team has moved into the discovery phase for adding multiple addresses directly within invoicing. This means they are actively exploring the best way to implement this functionality to meet your needs effectively.
We appreciate your patience as we work through the complexities…
Dennis Seyersdahl
supported this idea
·
-
54 votesDennis Seyersdahl
supported this idea
·
-
198 votes
We appreciate users wanting more flexibility in the data they show on invoices. At present our teams are re-developing some of the base features across Sales with particular focus on new invoicing.
At this time, there are no plans for developing a fields for a PO number in invoicing. Focus is on existing features in invoicing.
It's good to get a renewed understanding of interest here on Product Ideas, and if there's any news we will update on this here.In the meantime, there is a way the custom template can be edited to rename the Reference field as a 'Purchase Order Number' field - see more in the discussion here.
Dennis Seyersdahl
supported this idea
·
-
47 votes
HI team, while it's not possible to include links to all outstanding invoices when sending a statement I did want to make sure you're aware of the option to include a link to Outstanding bills when emailing an invoice to customer.
From this link your customer will be able to see a total and the individual invoices they have outstanding to pay with you - more on this here
Dennis Seyersdahl
supported this idea
·
-
50 votesDennis Seyersdahl
supported this idea
·
-
263 votes
Hi everyone, we appreciate your support and feedback for having a Repeating Invoices Report.
We know that not having a dedicated report for your repeating invoices can present limitations when trying to forecast sales.
As noted by others in the idea, while not a complete solution there is the Receivable invoice detail report, that will provide results for invoices that have already generated from a repeat invoice template. There is also Short term cashflow predictions in Xero Analytics Plus that can predict recurring cash transactions based on the past 3 months reconciliations.
For more comprehensive forecasting, some users have found third-party apps that integrate with Xero to be helpful - You can view the full suite of official apps on our Xero App store.
While we understand these aren't ideal long-term solutions, I want to let you know that there's no work currently planned to develop a specific…
Dennis Seyersdahl
supported this idea
·
-
14 votesDennis Seyersdahl
supported this idea
·
-
335 votes
Hi all - thanks for taking the time to provide your votes and commentary on the idea to enable subtotals in invoices. We appreciate how this would make invoicing easier and enable you to provide a clear breakdown on invoices.
As you can imagine with a global product, the variety of ideas we receive is expansive and so the product team focuses on building features that will meet most people’s needs. In the interest of transparency at this stage this idea is not currently planned. However we’re still open to receiving feedback and votes. It could always be reconsidered at a later date.
In the meantime it’s worth highlighting (as a few have mentioned already) a workaround is to generate an invoice as a PDF and then edit the PDF externally. Alternatively our Xero App Store has many invoicing providers who may do this. You can browse the invoice providers…
Dennis Seyersdahl
supported this idea
·
-
229 votes
Hi everyone, we'd like to share an update with you all.
We've begun release of a deposits solution powered by Stripe to a small group of customers, and expect to roll this out over the coming months.
We appreciate progressive payments for businesses that work on more of an instalments flow is a little more complex than what will be available initially with deposits.
We do have intentions to expand on this feature overtime, and I'll continue to keep you updated with further news on deposits and progress payments.
Dennis Seyersdahl
supported this idea
·
-
510 votes
Hi community, we thank you for your feedback on the value of being able to flag a Sales invoice as in dispute. We know a clear way to mark these invoices would be helpful.
Similarly to our update for Supplier invoices there are a few options you may want to consider to currently highlight Sales invoices in this situation;
- Add a note to the invoice to serve as a clear internal reminder of the dispute.
- Utilise tracking categories: Creating a specific tracking category like "Disputed Invoices" can help you filter and report on these items.
- Update the reference to add a notation such as [reference number] - 'In dispute'
While we know these aren't perfect solutions, we hope these may help some in the conversation right now.
We appreciate your enthusiasm for this feature, and we want to be transparent about where it stands, and this is an idea that…
Dennis Seyersdahl
supported this idea
·
Andrew,
You do not need to single me out. My intent was simply to make sure the issue was reported to the correct department so it can be addressed through the proper channels. If nothing is done after that, then the responsibility falls on them, not on us when our clients are impacted.
I also think the conversation had started to drift into complaints rather than solutions. As IT professionals, it is important that we help guide issues through the correct process instead of just venting in a forum where the people reading may not be the ones who can actually fix the problem. The only reason I spoke up was because of the ongoing complaints and the comment that the individual ran an IT security company. With over 25 years in the IT field, I have rarely seen situations where IT professionals were unwilling to at least try to move an issue forward in a constructive way.
That is why I contacted Xero directly and shared their response, so we could get the discussion back on track and focused on what can actually be done. I was also personally receiving multiple spam messages related to this issue, which is another reason I felt it was worth addressing.
We should be able to use our own domains, and this type of risk is not unique to Xero. QuickBooks has similar limitations, and we see the same types of attacks there as well, including spoofed domains and look-alike registrations. I had a customer recently where a bad actor registered a domain with a single extra letter added in the middle of the name. The customer’s client did not notice the difference, and the issue was only caught after I reviewed the messages. That situation ended up being reported to ICANN after we confirmed the domain was being used maliciously.
My point is that these are real security concerns, and the correct response is to report them through the proper channels so something can actually be done, not just complain about them in a forum.
If you want to single me out, that is your choice, but I will respond when I feel it is necessary to clarify my position.