Zero Trust Access Group - require domain always blocks

Hi there,
I created an access group to protect a self-hosted web-app.

I have restricted the source IPs via Define group criteria - Include - IP Ranges.
This part works. If the source IP is on the allow list people get to see the login page to request an OTP via email (which is my current config).

Here I want to allow only specific domains. Therefore I created a Require - Emails ending in… group criteria. Directly underneath the IP criteria.
I enter my domains and apply it.

However, as a result I am no longer able to receive OTP emails.
When I go to the application and “Test your policies” the user with the email address is denied. Even though the domain is an exact match of the group criteria.

Is there anything I dont get here?

Thanks for your help in advance!

This is the result. I have had both domains in one selector and for this test I splitted them into two.
The two green checkmarks indicated that the IP and the domain are ok - yet I get an access denied.


I think I do understand now. I got confused by how include and exclude work.
Exclude requires all criteria to be true. Changing emails to include it now works.