I'm pretty surprised that of the 1.7M domains with an MX record, only 57% have DKIM
I don't see how one could reliability gather this data from DNS:
DKIM allows you to specify a selector in the header of the mail: This mail for example will use 'sx1' as the selector (check out the header ;-) ):
$ dig +short txt sx1._domainkey.blinkenlights.ch "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC[....]
But without ever receiving a mail from me: how would you know?
You could try to send a query for '_domainkey.blinkenlights.ch' and you MAY receive a NOERROR reply - but that's not guaranteed: My DNS will just return an NXDOMAIN:
$ dig txt _domainkey.blinkenlights.ch|grep status: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10153
Regards, Adrian