Settings and activity
1 result found
-
183 votes
Hi community, thanks for sharing your continued interest here. We appreciate the importance of having assurance that mail you send from Xero is being received, and that being able to send from your own company email would increase confidence in this process.
I can confirm this idea has been regularly reviewed by our product teams, and being able to send from your own company email is on their radar. Currently there are other priorities, and platform work that requires their attention, before they can consider this more deeply.
We'll move the idea back to submitted so we can continue to gauge the interest through votes here. When there is opportunity to pick this up, I will share any news with you all here.
An error occurred while saving the comment An error occurred while saving the comment 
Verafire Accounts
commented
The inability to send domain-based authenticated mail represents is a cybersecurity threat. They may as well leave a back-door open. If it has not happened yet, the supply chain of a big business with significant financials will be compromised though XERO and will use this very message board to prove that XERO are aware of the risk, were repeatedly reminded... and did nothing. In court they will not be able to claim innocence, liability would be proven, and significant costs claimed.
For the moment, I set all my customers email to whatever@mydomain.com.au and I then manually forward that email to the real customers email address. It does take time, but the email comes from me, has my logo, is sent authorized through my DKIM/DMARC/SPF and my customers know it is ME.
I did for a moment automate this having an individual email address per customer with automatic forwarding, but I often add a short note to the email. Rather than adding the text in XERO, I just add it in Outlook now. When customers reply, it is also comes to me.
Perhaps if everyone reminds XERO of litigation risk, maybe profit loss will be there motivation??
Verafire Accounts
supported this idea
·
An error occurred while saving the comment Verafire Accounts
commented
Duty of care liability
Q1 - If a XERO customer loses money through fraud that is attributable to lax security in their financial product, can they seriously defend a negligence claim ?
I assert that XERO should be as accountable as a bank. The money is not in a bank account that XERO has - but if it is fraudulently taken from an account through lax security provided by XERO, there must be a strong argument that they do have a defacto duty of care as the intermediary.
There are public records on XERO website going back 10 years with many customers nearly raging at this security issue and how easy it is to fix. Most of the companies I also engage with have this feature, so it's a no-brainer really.
The world is a nightmare for security with hackers trying to insert them in all parts of the business chain. XERO has passwords (standard) and 2FA (standard) but no SMPT AUTH emails (standard for others).
Maybe a lawyer or two could chip in here as to the liability ramifications if a customer does everything right and unauthenticated (easily phished) emails are the cause of a supply chain attack where someone loses a million dollars.
I recently chased this as high as I could go through XERO staff and were told that "this is not even on a roadmap for developments but we can leave a +1 in the comments section if we like". It's at 102 now, maybe next year it'll get to a number high enough to notice.
Food for thought.
An error occurred while saving the comment Verafire Accounts
commented
UPDATE - I have solved this with an imperfect method, that works fine. We had a case with XERO that went nowhere as they have NO plan to implement authenticated SMTP mail.
Here's our solution:
In our Micrsoft365 tenant for our domain.com.au I've create a shared mailbox called xero@mydomain.com.au with an alias per customer as customername@mydomain.com.au. I then alter every customer email in XERO from their real email address to the new customername@mydomain.com.au and all invoices generated now come into the Shared Mailbox where a rule bounces a copy to their real email address.
Now they all go out from my fully authenticated 2FA complaint domain even with my server generated footer via CodeTwo. Yep, some admin involved for sure but now I am in control and even get send/receive receipts.
The accounts department love it as now customers can reply with queries also and there is not a noreply@ email. All the invoices are in one spot with time-tracking for an audit if we need. In setup terms this took a day of IT tech time (to get the bulk of current customers on) to implement this, and then each new customer needs to be onboarded into 365 as an alias to the shared mail box then bounced to their real address (15 min setup). We are happy to take this extra time as we ended up with a simple system that really has good 'other' benefits too on top of fully authenticated email originating from our domain name.
Maybe others may also see value in this.
An error occurred while saving the comment Verafire Accounts
commented
Everyone here is right and not being able to send authenticated mail from your own domain is plain wrong.
Richard F has the right approach - fix it!! I too know all about how this is to be achieved and it'd cost XERO a days consult... so it is not money that is the issue.
I'm thinking this is likely just planned marketing, as every email has XERO on it and it is a strategy to get more customers.
Marketing vs. Security..... hmmmmmmm
We integrated with https://www.xeroemail.com and it now works perfectly. The developers were great to deal with, it's simple and elegant, return mail paths are working and nothing now goes out from the generic xero email addresses. The pricing for us is good and for clients who send hundreds of invoices per month are also integrating. This had frustrated us for years and XERO constantly did not respond to a massive issue with insecure email.
Hope this helps.
David