I just moved this domain away from the registrar one.com to AWS Route 53 (actually Gandi, but that’s a different story). However, when doing so, I got
SERVFAIL when doing things like
dig mx wendt.se @18.104.22.168, whereas
dig +trace mx wendt.se worked just fine.
Apparently, Route 53 has partial support for DNSSEC, and others have ran into this issue before when moving domains under the TLD
Tools used to hint at the real cause: