Hi Daniel,
Your nameserver breaks https://www.rfc-editor.org/rfc/rfc8020
I'd rather say 'does not implement' instead of 'break': As RFC 8020 points out, the (almost 30 years older) RFC 1034 is very unspecific about the details on how a nameserver should behave in such a situation. (And opinions seem to have changed over time, see https://groups.google.com/g/comp.protocols.dns.std/c/j0ddY0jZhog/m/yHN9ew5Q5...)
Therefore, there *are* existing implementations which do seem to return NXDOMAIN in such cases - probably because their implementation predates RFC8020, one of them being AWS / Route53:
Example:
$ dig txt mv2jefm7mwexbuk5zvfgdg5yzcylqkwc._domainkey.just-eat.ch
Returns the expected data while
$ dig txt _domainkey.just-eat.ch
returns NXDOMAIN.
Note that i don't want to argue whether or not everyone should implement RFC8020: All i'm saying is that there are servers in the wild which do return NXDOMAIN and hence it is almost impossible to say whether or not a domain has DKIM enabled.
Regards, Adrian