HomeNewsTokyo Tech Conf Lacks Email Auth Amid 2026 Mandates
Email Deliverability

Tokyo Tech Conf Lacks Email Auth Amid 2026 Mandates

Audit reveals SusHi Tech Tokyo 2026 lacks SPF, DKIM, DMARC despite global enforcement mandates. 750+ startups exposed to spoofing risks.

J

James Chen

April 27, 2026

5 min read
HomeNewsTokyo Tech Conf Lacks Email Auth Amid 2026 Mandates
Email Deliverability

Tokyo Tech Conf Lacks Email Auth Amid 2026 Mandates

Audit reveals SusHi Tech Tokyo 2026 lacks SPF, DKIM, DMARC despite global enforcement mandates. 750+ startups exposed to spoofing risks.

J

James Chen

April 27, 2026

5 min read
Share:
Share:
#Compliance#DMARC#B2B Email
#Compliance#DMARC#B2B Email
Illustration for industry_trend: Tokyo Tech Conf Lacks Email Auth Amid 2026 Mandates
Illustration for industry_trend: Tokyo Tech Conf Lacks Email Auth Amid 2026 Mandates

Stay in the loop

Get the latest posts delivered straight to your inbox. No spam, unsubscribe anytime.

Asia's largest startup convention, running April 27 to 29 at Tokyo Big Sight, features 770 exhibitions and expects 60,000 attendees. Yet the domain behind it carries no SPF, DKIM, or DMARC records, leaving it fully open to spoofing attacks at the exact moment global email authentication mandates are tightening. According to an infrastructure audit published by mkultraman (Substack), this is not a fresh oversight: a single contractor missing DMARC in 2025 could be called a mistake, but the same gap persisting into 2026, after Japan's Ministry of Internal Affairs and Communications issued a formal September request, after the Active Cyber Defense Law was ratified in May 2025, and after Yahoo Japan announced sender authentication requirements, "is something else."

A High-Profile Gap in a High-Profile Event

Tokyo Governor Yuriko Koike officially opened SusHi Tech Tokyo 2026 this morning at Tokyo Big Sight, reinforcing Tokyo's ambition to become one of the world's most startup-friendly cities and positioning the event as a central pillar of the Tokyo Metropolitan Government's long-term innovation strategy. When 60,000 attendees descend on Tokyo Big Sight April 27 to 29, the headline numbers are hard to ignore: 750 startup exhibitors, 151 sessions, city leaders from 49 countries.

What is harder to see from the outside is that the event domain lacks even the most basic layer of email identity protection. The reason this work has not happened is not because it is technically hard. According to the audit, it is because nobody is demanding it. There is no procurement clause requiring DMARC for .lg.jp event subdomains.

The stakes extend well beyond the conference organizers. Business Email Compromise scams have become increasingly sophisticated, with VIPRE's email threat analysis revealing that 51% of all scam emails are BEC attacks, with 82% involving impersonation and 40% impersonating CEOs specifically. A widely recognized event domain without authentication is a ready-made lure for attackers who want to reach the inboxes of investors, partners, and startups in the conference network.

Stay in the loop

Get the latest posts delivered straight to your inbox. No spam, unsubscribe anytime.

Asia's largest startup convention, running April 27 to 29 at Tokyo Big Sight, features 770 exhibitions and expects 60,000 attendees. Yet the domain behind it carries no SPF, DKIM, or DMARC records, leaving it fully open to spoofing attacks at the exact moment global email authentication mandates are tightening. According to an infrastructure audit published by mkultraman (Substack), this is not a fresh oversight: a single contractor missing DMARC in 2025 could be called a mistake, but the same gap persisting into 2026, after Japan's Ministry of Internal Affairs and Communications issued a formal September request, after the Active Cyber Defense Law was ratified in May 2025, and after Yahoo Japan announced sender authentication requirements, "is something else."

A High-Profile Gap in a High-Profile Event

Tokyo Governor Yuriko Koike officially opened SusHi Tech Tokyo 2026 this morning at Tokyo Big Sight, reinforcing Tokyo's ambition to become one of the world's most startup-friendly cities and positioning the event as a central pillar of the Tokyo Metropolitan Government's long-term innovation strategy. When 60,000 attendees descend on Tokyo Big Sight April 27 to 29, the headline numbers are hard to ignore: 750 startup exhibitors, 151 sessions, city leaders from 49 countries.

What is harder to see from the outside is that the event domain lacks even the most basic layer of email identity protection. The reason this work has not happened is not because it is technically hard. According to the audit, it is because nobody is demanding it. There is no procurement clause requiring DMARC for .lg.jp event subdomains.

The stakes extend well beyond the conference organizers. Business Email Compromise scams have become increasingly sophisticated, with VIPRE's email threat analysis revealing that 51% of all scam emails are BEC attacks, with 82% involving impersonation and 40% impersonating CEOs specifically. A widely recognized event domain without authentication is a ready-made lure for attackers who want to reach the inboxes of investors, partners, and startups in the conference network.

Peer Agencies Enforce What the Conference Ignores

The contrast with other Japanese government entities is direct. An audit of NISC, Japan's national cybersecurity agency, the body that defines common security standards for the entire government, shows it runs v=DMARC1; p=quarantine; adkim=s; aspf=s with aggregate reporting configured. Japan's National Police Agency has identified DMARC as a meaningful control against fraudulent email and is actively collaborating with partner agencies to advocate for adoption at the strongest enforcement level, a p=reject policy that instructs receiving mail servers to block unauthenticated email outright.

Japan's Ministry of Economy, Trade, and Industry (METI) has directed credit card companies to implement DMARC as part of Japan's broader 3D Secure program, and has extended similar requirements to semiconductor manufacturers, incorporating DMARC into transaction conditions to confront email spoofing and protect supply chain integrity.

A peer municipal government in the same country runs p=reject in production. The technical bar is at floor level. As the mkultraman audit puts it: "If the city that hosts the conference about sustainable technology cannot sustain the email authentication posture for the conference itself, the brand is doing more work than the operations."

What No DMARC Actually Means for Exhibitors

For the 700-plus startups, marketers, and growth teams participating in SusHi Tech Tokyo, the authentication gap creates a direct business risk. Without DMARC configured, a criminal could send a fake invoice from an email address using the conference domain, and that email might actually land in a customer's inbox. With proper protocols in place, that fake email gets blocked before anyone ever sees it.

Domain and IP reputation erosion from authentication failures spills over to impact transactional and operational mail, not just marketing communications. For startups that secured meetings or signed follow-up deals at the event, impersonation attacks exploiting the conference domain could intercept post-event correspondence at the worst possible moment.

A domain without SPF, DKIM, and DMARC is no longer just a deliverability risk: it is an audit finding.

The Global Mandate Context

In 2026, DMARC has become a standard requirement for organizations sending bulk email, and major inbox providers now require SPF and DKIM for bulk email senders. DMARC requirements now apply to bulk senders sending 5,000 or more emails per day from Google and Yahoo, with stricter enforcement starting in 2026.

According to Cloudflare's 2026 threat report, 46% of all emails fail DMARC validation, highlighting just how much unauthenticated traffic still flows through global systems. The SusHi Tech domain contributes to that statistic despite operating in a policy environment where regulators are explicitly asking for action.

Peer Agencies Enforce What the Conference Ignores

The contrast with other Japanese government entities is direct. An audit of NISC, Japan's national cybersecurity agency, the body that defines common security standards for the entire government, shows it runs v=DMARC1; p=quarantine; adkim=s; aspf=s with aggregate reporting configured. Japan's National Police Agency has identified DMARC as a meaningful control against fraudulent email and is actively collaborating with partner agencies to advocate for adoption at the strongest enforcement level, a p=reject policy that instructs receiving mail servers to block unauthenticated email outright.

Japan's Ministry of Economy, Trade, and Industry (METI) has directed credit card companies to implement DMARC as part of Japan's broader 3D Secure program, and has extended similar requirements to semiconductor manufacturers, incorporating DMARC into transaction conditions to confront email spoofing and protect supply chain integrity.

A peer municipal government in the same country runs p=reject in production. The technical bar is at floor level. As the mkultraman audit puts it: "If the city that hosts the conference about sustainable technology cannot sustain the email authentication posture for the conference itself, the brand is doing more work than the operations."

What No DMARC Actually Means for Exhibitors

For the 700-plus startups, marketers, and growth teams participating in SusHi Tech Tokyo, the authentication gap creates a direct business risk. Without DMARC configured, a criminal could send a fake invoice from an email address using the conference domain, and that email might actually land in a customer's inbox. With proper protocols in place, that fake email gets blocked before anyone ever sees it.

Domain and IP reputation erosion from authentication failures spills over to impact transactional and operational mail, not just marketing communications. For startups that secured meetings or signed follow-up deals at the event, impersonation attacks exploiting the conference domain could intercept post-event correspondence at the worst possible moment.

A domain without SPF, DKIM, and DMARC is no longer just a deliverability risk: it is an audit finding.

The Global Mandate Context

In 2026, DMARC has become a standard requirement for organizations sending bulk email, and major inbox providers now require SPF and DKIM for bulk email senders. DMARC requirements now apply to bulk senders sending 5,000 or more emails per day from Google and Yahoo, with stricter enforcement starting in 2026.

According to Cloudflare's 2026 threat report, 46% of all emails fail DMARC validation, highlighting just how much unauthenticated traffic still flows through global systems. The SusHi Tech domain contributes to that statistic despite operating in a policy environment where regulators are explicitly asking for action.

In fairness, the mkultraman audit benchmarks the event against international peers, and the picture is mixed: VivaTech in Paris runs p=quarantine with DKIM via Google and Brevo; Slush in Helsinki uses p=none with Cloudflare reporting and four DKIM selectors. Web Summit is also unprotected. CES is at monitoring-only. The problem is not unique to Tokyo, but Tokyo is the one positioning itself as a model for technology-forward city governance.

The Fix Is Minimal

The path to basic compliance is not complex. Start with p=none and collect 30 to 60 days of report data, fix any legitimate-sender gaps, then move to p=quarantine. After another 30 days, move to p=reject. Add DKIM signing on the way. Total elapsed time: three months. Total operational cost: trivial. Total effort: a backlog ticket.

For business owners and email marketers attending or following the event, the audit is also a reminder to run the same check on your own domain before someone else does it for you. The immediate steps for any organization are to move the domain policy to p=reject, or at least p=quarantine, for all domains that send email. A city government running the largest tech conference in Asia has less of an excuse than most.

No comments yet. Be the first!

Leave a comment

Comments are reviewed before publishing.

In fairness, the mkultraman audit benchmarks the event against international peers, and the picture is mixed: VivaTech in Paris runs p=quarantine with DKIM via Google and Brevo; Slush in Helsinki uses p=none with Cloudflare reporting and four DKIM selectors. Web Summit is also unprotected. CES is at monitoring-only. The problem is not unique to Tokyo, but Tokyo is the one positioning itself as a model for technology-forward city governance.

The Fix Is Minimal

The path to basic compliance is not complex. Start with p=none and collect 30 to 60 days of report data, fix any legitimate-sender gaps, then move to p=quarantine. After another 30 days, move to p=reject. Add DKIM signing on the way. Total elapsed time: three months. Total operational cost: trivial. Total effort: a backlog ticket.

For business owners and email marketers attending or following the event, the audit is also a reminder to run the same check on your own domain before someone else does it for you. The immediate steps for any organization are to move the domain policy to p=reject, or at least p=quarantine, for all domains that send email. A city government running the largest tech conference in Asia has less of an excuse than most.

No comments yet. Be the first!

Leave a comment

Comments are reviewed before publishing.

Breaking

Related news

Illustration for new_technology: Gmail's New RETVec AI Boosts Spam Detection by 38%
Email DeliverabilityMay 22, 2026 6 min

Gmail's New RETVec AI Boosts Spam Detection by 38%

Google deployed RETVec, an AI spam filter that detects obfuscated spam, improving detection 38% while reducing false positives 19.4%. Here's what email marketers need to know.

Breaking

Related news

Illustration for new_technology: Gmail's New RETVec AI Boosts Spam Detection by 38%
Email DeliverabilityMay 22, 2026 6 min

Gmail's New RETVec AI Boosts Spam Detection by 38%

Google deployed RETVec, an AI spam filter that detects obfuscated spam, improving detection 38% while reducing false positives 19.4%. Here's what email marketers need to know.

R
Rachel Torres
R
Rachel Torres
Illustration for new_technology: IETF Publishes RFC 9989 DMARC Standard in May 2026
Email DeliverabilityMay 22, 2026 6 min

IETF Publishes RFC 9989 DMARC Standard in May 2026

IETF officially published RFC 9989 in May 2026, upgrading DMARC to Proposed Standard status. The update improves spoofing prevention and email authentication with clarified terminology and stronger subdomain protection.

JJames Chen
Illustration for new_technology: IETF Publishes RFC 9989 DMARC Standard in May 2026
Email DeliverabilityMay 22, 2026 6 min

IETF Publishes RFC 9989 DMARC Standard in May 2026

IETF officially published RFC 9989 in May 2026, upgrading DMARC to Proposed Standard status. The update improves spoofing prevention and email authentication with clarified terminology and stronger subdomain protection.

JJames Chen
Illustration for industry_trend: Gmail Spam Filter Collapse Jams 1.8B Inboxes
Email DeliverabilityMay 22, 2026 6 min

Gmail Spam Filter Collapse Jams 1.8B Inboxes

Gmail's spam filters collapsed on Saturday, flooding 1.8 billion inboxes with promotions while blocking legitimate mail. Here's what happened.

RRachel Torres
Illustration for industry_trend: Gmail Spam Filter Collapse Jams 1.8B Inboxes
Email DeliverabilityMay 22, 2026 6 min

Gmail Spam Filter Collapse Jams 1.8B Inboxes

Gmail's spam filters collapsed on Saturday, flooding 1.8 billion inboxes with promotions while blocking legitimate mail. Here's what happened.

RRachel Torres