That's most likely BIMI with DKIM (DKIM alone is relatively common) but it's unfortunately not S/MIME. Latter would actually be a "sender signed email" rather than former, "domain signed email".
I went back and searched my email. It was an RSA-2048 S/MIME certificate issued by Aldi Süd and Apple Mail now warns that the certificate is expired (the email was from a few years ago, when the certificate was valid). The email came from a supply chain person in their Hong Kong office - maybe that explains the level of security?
