Skip to main content
All CollectionsGetting Started
Set up email for Max on your domain
Set up email for Max on your domain

How to set up email addresses for Max on your company's domain

Updated over a month ago

This article covers how to set up email for Max, your autonomous AI recruiting partner from Tezi, on your company's Google domain. This enables Max to start emailing and scheduling candidates as a recruiter for your company while keeping your organization's sensitive information secure.

In this article, you will set up two emails--one for Max to send sourcing emails to prospective candidates (max.tezi@hey.[yourdomain].com) and one for Max to email and schedule interviews with confirmed candidates (max.tezi@[yourdomain].com). We separate these two types of emails to protect your domain's email reputation (see below for more details).

Note that completing the steps in this article requires special permissions:

  • Part 1 can only be completed by a DNS administrator.

  • Parts 2 and 3 can only be completed by a Google Workspace super administrator or an administrator with permissions related to security and API controls.

  • Depending on your company's Slack workspace settings, Part 4 can only be completed by a Slack workspace administrator.

Completing these steps typically takes 30-45 minutes.

For answers to common questions, see our Technical set-up FAQ.

Part 1: Set up Max's sourcing email

Tezi will send outbound sourcing emails to prospective candidates on behalf of your company. While Tezi prioritizes high-quality matches in sourcing, some emails may be marked as spam by prospects. To safeguard your domain's email reputation and deliverability, this section describes how to set up a dedicated subdomain (hey.[yourdomain]) for Max's sourcing emails in your DNS provider. The steps below also enable Tezi to use SendGrid’s Email Platform to send these emails.

Before you begin, please ensure you have the CNAME records provided by your Tezi Customer Success Manager.

If helpful, here are links for how to update DNS records at common DNS providers:

For all steps below, please check that your new DNS records follow the format required by your DNS provider, e.g., MX record ends with a period if required.

1. Sign in to your DNS provider

2. Add CNAME records

Tezi uses Sendgrid’s automated security, which means SendGrid generates three CNAME records that, when added to a domain’s DNS provider, allow SendGrid to manage two main types of email authentication:

  • Sender Policy Framework (SPF): this is an email authentication protocol that allows domain owners to specify which mail servers are authorized to send emails on behalf of their domain.

  • DomainKeys Identified Mail (DKIM): this is an email authentication method that allows the sender to sign their emails with a cryptographic signature, enabling the recipient's server to verify that the email was sent from an authorized source and that its content hasn't been altered in transit.

You should have received three SendGrid-generated CNAME records from your Tezi Customer Success Manager. Please add these CNAME records to your DNS provider. They will enable Tezi to use SendGrid to send fully authenticated emails from the subdomain (but not your company's main domain).

3. Add an MX record for the subdomain hey.[yourdomain]

When candidates respond to sourcing emails, Tezi has configured those replies to go to the Tezi email account that you will set up in Parts 2 and 3. However, in some cases, candidates might email Max's subdomain address (max.tezi@hey.[yourdomain]) directly. In order for Tezi to receive these emails, you will need to add a record to your DNS provider that signals that any inbound emails to Max's subdomain will be handled by Tezi (through Sendgrid’s email parsing infrastructure):

  1. Add an MX record for the hey.[yourdomain] subdomain with the following values:

    1. Priority: 10

    2. Mail server value: mx.sendgrid.net

Please ensure you add this record at the subdomain level, not at the top-level domain. Otherwise, this may interfere with emails for your overall company domain.

4. Create a DMARC record for your subdomain (recommended)

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM. It allows domain owners to specify what receiving mail servers should do with emails that do not pass SPF or DKIM checks, e.g., mark as spam, reject, etc.

If your subdomain does not have a DMARC record, Tezi will still work. However, we recommend creating one as a general security practice. A DMARC record will protect against unauthorized parties spoofing your subdomain. It will also improve email deliverability by giving email providers more confidence in the authenticity of emails from your subdomain.

To create a DMARC record:

  1. Add a TXT record with the name _dmarc.hey or _dmarc.hey.[your domain] (varies by DNS provider) and your desired DMARC options. We recommend the following values: v=DMARC1; p=none; rua=mailto:[any valid email address in your organization]

    1. The specified email address will receive summary reports of email traffic and authentication results.

    2. p=none means that no action will be taken on emails that fail SPF and DKIM; they will be delivered as usual. This is our recommended starting point for a DMARC policy. Over time, as you learn about email traffic on your domain from the summary reports, you can update your DMARC record to take different actions on unauthenticated emails.

    3. There are many options for configuring your DMARC policy/record. See Define your DMARC record by Google to learn more.

    4. Please ensure you add this record at the subdomain level, not at the top-level domain. Otherwise, this may interfere with emails for your overall company domain.

Part 2: Set up a new Organizational Unit (OU) for Max

Max will use an email address in your main company domain to correspond with and schedule interviews for confirmed candidates (i.e., all emails other than sourcing emails to prospective candidates). To protect your company's data integrity, we want this email address to have the bare minimum domain permissions required for its operations. This section explains how to achieve this by creating a dedicated OU for Max and configuring the OU's permissions. Later, we will create an email address for Max in this OU.

If you already have a limited privilege OU that you think will work for Max, you can skip to 6. Install and configure the Tezi app for the Tezi - Max OU. We recommend that Max's OU should have the following permissions:

  • Access to:

    • Gmail, Google Meet, and Google Calendar

    • Ability for users to set up 2-step verification

  • No access to:

See below for steps to create and configure a new OU for Max:

1. Sign in to your Google Admin console

2. Create a new Organizational Unit (OU) for Max

Create a dedicated OU for Max to make permissions management simple:

  1. Go to Directory -> Organizational units.

  2. Click Create organizational unit. We recommend naming the new OU "Tezi - Max" and including a helpful description.

3. Configure service access for the "Tezi - Max" OU

Max needs access to only a few Google Workspace services. Follow the steps below to restrict the "Tezi - Max" OU's permissions appropriately:

  1. Go to Apps -> Google Workspace -> Service status.

  2. On the lefthand side, select the "Tezi - Max" OU.

  3. For the "Tezi - Max" OU, turn off service status for all services except Calendar, Gmail, Google Chat (will not be used by Tezi but cannot be disabled), and Google Meet.

    1. Please ensure the "Tezi - Max" OU has access to Calendar, Gmail, and Google Meet. Max will not work without these services.

  4. Go to Apps -> Additional Google services.

  5. On the lefthand side, select the Tezi - Max OU.

  6. For the "Tezi - Max" OU, turn off service status for all services.

4. Disable app access for the "Tezi - Max" OU

Max does not rely on any third-party apps (other than the Tezi app; see 6. Install and configure the Tezi app for the Tezi - Max OU below), so disable access to all third-party and internal apps for the "Tezi - Max" OU:

  1. Go to Security -> Access and data control -> API controls.

    1. Note: You may need to click Show more in the lefthand menu to find Security.

  2. Click on Settings.

  3. On the lefthand side, select the "Tezi - Max" OU.

  4. Under Unconfigured third-party apps, select Don't allow users to access any third-party apps.

  5. Under Internal apps, de-select Trust internal apps. Your API controls page should now look like the following:

  6. Return to Security -> Access and data control -> API controls.

  7. Click on Manage Third-Party App Access.

  8. Select all apps.

    1. Note: There can be multiple pages of apps. If you have multiple pages of apps, repeat steps 8-10 for all pages and apps. If you configure new third-party apps in the future, please also block the "Tezi - Max" OU's access to those future apps.

  9. Click Change access.

  10. Select the "Tezi - Max" OU and set its Access to Google Data to Blocked. Review and confirm these selections.

  11. Go to Apps -> Web and mobile apps.

  12. If your company has any apps on this page (many do not), click each app and disable access for the "Tezi - Max" OU.

  13. Go to Apps -> Google Workspace Marketplace apps -> Apps list.

  14. If your company has any apps on this page (many do not), disable Max's access to each app:

    1. Click each app.

    2. In the User Access section, click View organizational units and groups.

    3. On the lefthand side, select the "Tezi - Max OU".

    4. Select Off for App Distribution.

    5. Save your selection.

  15. Go to Apps -> Google Workspace Marketplace apps -> Settings.

  16. On the lefthand side, select the "Tezi - Max OU".

  17. For the "Tezi - Max" OU, select Don't allow users to install and run apps from the Marketplace. Save your selection.

5. Set up 2-step verification for the "Tezi - Max" OU

To prevent unauthorized access, enable 2-step verification for the "Tezi - Max" OU:

  1. Go to Security -> Authentication -> 2-step verification.

  2. On the lefthand side, select the "Tezi - Max" OU.

  3. Select Allow users to turn on 2-Step Verification if it is not already enabled.

  4. Configure the rest of 2-step verification per your organization's policies.

    1. If you choose to turn 2-step verification Enforcement on, please also set a New user enrollment period of at least 1 week. Tezi will not be able to complete the setup otherwise.

6. Install and configure the Tezi app for the "Tezi - Max" OU

In order to book interviews, the Tezi app needs access to Max's Google Calendar on your domain. Follow the steps below to install and configure the Tezi app:

  1. Go to Security -> Access and data control -> API controls -> Manage third-party app access.

  2. Click Add app and select OAuth App Name Or Client ID in the dropdown. This will launch the app configuration flow.

  3. Search for and select the Tezi app using Tezi's OAuth Client ID: 405977416496-dmj02qmj1amufenddmtmhufead80lpmd.apps.googleusercontent.com.

  4. In the Scope step, click Select org units and select the "Tezi - Max" OU.

    1. Please ensure the Tezi app has access to the "Tezi - Max" OU specifically. Max will not work without this access.

  5. In the Access to Google Data step, select Trusted.

  6. Review your selections and finish app configuration.

Part 3: Set up Max's OU email address and email forwarding

Now that Max's OU exists, Max needs an email address in this OU, and Max's emails need to be forwarded to [email protected] for processing. This section explains how to create Max's email address and configure forwarding.

1. Create an email address for Max in the "Tezi - Max" OU

Create an email address for Max and send access to the Tezi team:

  1. Go to Directory -> Users.

  2. On the lefthand side, select the "Tezi - Max OU".

  3. Click on Add new user to create an email address for Max with the following fields:

    1. First name: Max

    2. Last name: AI Recruiter

    3. Primary email: max.tezi@[yourdomain].com

  4. Send sign-in instructions for the new user to [email protected]. Do this by clicking PREVIEW AND SEND.

2. Set up email forwarding for Max's new email address

Forward emails received by max.tezi@[yourdomain].com to [email protected] for processing:

  1. Go to Apps -> Google Workspace -> Gmail.

  2. Click on Routing.

    1. Note: There is also a Default routing option, which is not the correct option.

  3. Scroll to find the Email forwarding using recipient address map option.

    1. Note: Make sure you are viewing settings for all users. Do not select the "Max - Tezi OU" on the lefthand side.

  4. Click on Add another rule to create a new forwarding rule with the following specifications:

    1. Enter a helpful description like "Tezi AI Recruiter forwarding rule".

    2. Add a new address mapping from max.tezi@[yourdomain].com to [email protected].

    3. For Messages to affect, select All incoming messages.

    4. In Routing options, select Also route to original destination.

Part 4: Install the Tezi Slack app

Tezi's Slack app enables users to chat with Max and receive recruiting-related Slack reminders. Please click here to install the Tezi app for your Slack workspace.

Part 5: Inform the Tezi team via Slack that you have completed technical set-up

Once you have set up an appropriate OU, created Max's email address, and configured your DNS records, you have completed all technical set-up for Tezi.

That's it! We look forward to making stellar hires with you.

Did this answer your question?