Asia's largest startup convention, running April 27 to 29 at Tokyo Big Sight, features 770 exhibitions and expects 60,000 attendees. Yet the domain behind it carries no SPF, DKIM, or DMARC records, leaving it fully open to spoofing attacks at the exact moment global email authentication mandates are tightening. According to an infrastructure audit published by mkultraman (Substack), this is not a fresh oversight: a single contractor missing DMARC in 2025 could be called a mistake, but the same gap persisting into 2026, after Japan's Ministry of Internal Affairs and Communications issued a formal September request, after the Active Cyber Defense Law was ratified in May 2025, and after Yahoo Japan announced sender authentication requirements, "is something else."
A High-Profile Gap in a High-Profile Event
Tokyo Governor Yuriko Koike officially opened SusHi Tech Tokyo 2026 this morning at Tokyo Big Sight, reinforcing Tokyo's ambition to become one of the world's most startup-friendly cities and positioning the event as a central pillar of the Tokyo Metropolitan Government's long-term innovation strategy. When 60,000 attendees descend on Tokyo Big Sight April 27 to 29, the headline numbers are hard to ignore: 750 startup exhibitors, 151 sessions, city leaders from 49 countries.
What is harder to see from the outside is that the event domain lacks even the most basic layer of email identity protection. The reason this work has not happened is not because it is technically hard. According to the audit, it is because nobody is demanding it. There is no procurement clause requiring DMARC for .lg.jp event subdomains.
The stakes extend well beyond the conference organizers. Business Email Compromise scams have become increasingly sophisticated, with VIPRE's email threat analysis revealing that 51% of all scam emails are BEC attacks, with 82% involving impersonation and 40% impersonating CEOs specifically. A widely recognized event domain without authentication is a ready-made lure for attackers who want to reach the inboxes of investors, partners, and startups in the conference network.
Asia's largest startup convention, running April 27 to 29 at Tokyo Big Sight, features 770 exhibitions and expects 60,000 attendees. Yet the domain behind it carries no SPF, DKIM, or DMARC records, leaving it fully open to spoofing attacks at the exact moment global email authentication mandates are tightening. According to an infrastructure audit published by mkultraman (Substack), this is not a fresh oversight: a single contractor missing DMARC in 2025 could be called a mistake, but the same gap persisting into 2026, after Japan's Ministry of Internal Affairs and Communications issued a formal September request, after the Active Cyber Defense Law was ratified in May 2025, and after Yahoo Japan announced sender authentication requirements, "is something else."
A High-Profile Gap in a High-Profile Event
Tokyo Governor Yuriko Koike officially opened SusHi Tech Tokyo 2026 this morning at Tokyo Big Sight, reinforcing Tokyo's ambition to become one of the world's most startup-friendly cities and positioning the event as a central pillar of the Tokyo Metropolitan Government's long-term innovation strategy. When 60,000 attendees descend on Tokyo Big Sight April 27 to 29, the headline numbers are hard to ignore: 750 startup exhibitors, 151 sessions, city leaders from 49 countries.
What is harder to see from the outside is that the event domain lacks even the most basic layer of email identity protection. The reason this work has not happened is not because it is technically hard. According to the audit, it is because nobody is demanding it. There is no procurement clause requiring DMARC for .lg.jp event subdomains.
The stakes extend well beyond the conference organizers. Business Email Compromise scams have become increasingly sophisticated, with VIPRE's email threat analysis revealing that 51% of all scam emails are BEC attacks, with 82% involving impersonation and 40% impersonating CEOs specifically. A widely recognized event domain without authentication is a ready-made lure for attackers who want to reach the inboxes of investors, partners, and startups in the conference network.
Peer Agencies Enforce What the Conference Ignores
The contrast with other Japanese government entities is direct. An audit of NISC, Japan's national cybersecurity agency, the body that defines common security standards for the entire government, shows it runs v=DMARC1; p=quarantine; adkim=s; aspf=s with aggregate reporting configured. Japan's National Police Agency has identified DMARC as a meaningful control against fraudulent email and is actively collaborating with partner agencies to advocate for adoption at the strongest enforcement level, a p=reject policy that instructs receiving mail servers to block unauthenticated email outright.
Japan's Ministry of Economy, Trade, and Industry (METI) has directed credit card companies to implement DMARC as part of Japan's broader 3D Secure program, and has extended similar requirements to semiconductor manufacturers, incorporating DMARC into transaction conditions to confront email spoofing and protect supply chain integrity.
A peer municipal government in the same country runs p=reject in production. The technical bar is at floor level. As the mkultraman audit puts it: "If the city that hosts the conference about sustainable technology cannot sustain the email authentication posture for the conference itself, the brand is doing more work than the operations."
What No DMARC Actually Means for Exhibitors
For the 700-plus startups, marketers, and growth teams participating in SusHi Tech Tokyo, the authentication gap creates a direct business risk. Without DMARC configured, a criminal could send a fake invoice from an email address using the conference domain, and that email might actually land in a customer's inbox. With proper protocols in place, that fake email gets blocked before anyone ever sees it.
Domain and IP reputation erosion from authentication failures spills over to impact transactional and operational mail, not just marketing communications. For startups that secured meetings or signed follow-up deals at the event, impersonation attacks exploiting the conference domain could intercept post-event correspondence at the worst possible moment.
A domain without SPF, DKIM, and DMARC is no longer just a deliverability risk: it is an audit finding.
The Global Mandate Context
In 2026, DMARC has become a standard requirement for organizations sending bulk email, and major inbox providers now require SPF and DKIM for bulk email senders. DMARC requirements now apply to bulk senders sending 5,000 or more emails per day from Google and Yahoo, with stricter enforcement starting in 2026.
According to Cloudflare's 2026 threat report, 46% of all emails fail DMARC validation, highlighting just how much unauthenticated traffic still flows through global systems. The SusHi Tech domain contributes to that statistic despite operating in a policy environment where regulators are explicitly asking for action.
Peer Agencies Enforce What the Conference Ignores
The contrast with other Japanese government entities is direct. An audit of NISC, Japan's national cybersecurity agency, the body that defines common security standards for the entire government, shows it runs v=DMARC1; p=quarantine; adkim=s; aspf=s with aggregate reporting configured. Japan's National Police Agency has identified DMARC as a meaningful control against fraudulent email and is actively collaborating with partner agencies to advocate for adoption at the strongest enforcement level, a p=reject policy that instructs receiving mail servers to block unauthenticated email outright.
Japan's Ministry of Economy, Trade, and Industry (METI) has directed credit card companies to implement DMARC as part of Japan's broader 3D Secure program, and has extended similar requirements to semiconductor manufacturers, incorporating DMARC into transaction conditions to confront email spoofing and protect supply chain integrity.
A peer municipal government in the same country runs p=reject in production. The technical bar is at floor level. As the mkultraman audit puts it: "If the city that hosts the conference about sustainable technology cannot sustain the email authentication posture for the conference itself, the brand is doing more work than the operations."
What No DMARC Actually Means for Exhibitors
For the 700-plus startups, marketers, and growth teams participating in SusHi Tech Tokyo, the authentication gap creates a direct business risk. Without DMARC configured, a criminal could send a fake invoice from an email address using the conference domain, and that email might actually land in a customer's inbox. With proper protocols in place, that fake email gets blocked before anyone ever sees it.
Domain and IP reputation erosion from authentication failures spills over to impact transactional and operational mail, not just marketing communications. For startups that secured meetings or signed follow-up deals at the event, impersonation attacks exploiting the conference domain could intercept post-event correspondence at the worst possible moment.
A domain without SPF, DKIM, and DMARC is no longer just a deliverability risk: it is an audit finding.
The Global Mandate Context
In 2026, DMARC has become a standard requirement for organizations sending bulk email, and major inbox providers now require SPF and DKIM for bulk email senders. DMARC requirements now apply to bulk senders sending 5,000 or more emails per day from Google and Yahoo, with stricter enforcement starting in 2026.
According to Cloudflare's 2026 threat report, 46% of all emails fail DMARC validation, highlighting just how much unauthenticated traffic still flows through global systems. The SusHi Tech domain contributes to that statistic despite operating in a policy environment where regulators are explicitly asking for action.
In fairness, the mkultraman audit benchmarks the event against international peers, and the picture is mixed: VivaTech in Paris runs p=quarantine with DKIM via Google and Brevo; Slush in Helsinki uses p=none with Cloudflare reporting and four DKIM selectors. Web Summit is also unprotected. CES is at monitoring-only. The problem is not unique to Tokyo, but Tokyo is the one positioning itself as a model for technology-forward city governance.
The Fix Is Minimal
The path to basic compliance is not complex. Start with p=none and collect 30 to 60 days of report data, fix any legitimate-sender gaps, then move to p=quarantine. After another 30 days, move to p=reject. Add DKIM signing on the way. Total elapsed time: three months. Total operational cost: trivial. Total effort: a backlog ticket.
For business owners and email marketers attending or following the event, the audit is also a reminder to run the same check on your own domain before someone else does it for you. The immediate steps for any organization are to move the domain policy to p=reject, or at least p=quarantine, for all domains that send email. A city government running the largest tech conference in Asia has less of an excuse than most.
No comments yet. Be the first!
In fairness, the mkultraman audit benchmarks the event against international peers, and the picture is mixed: VivaTech in Paris runs p=quarantine with DKIM via Google and Brevo; Slush in Helsinki uses p=none with Cloudflare reporting and four DKIM selectors. Web Summit is also unprotected. CES is at monitoring-only. The problem is not unique to Tokyo, but Tokyo is the one positioning itself as a model for technology-forward city governance.
The Fix Is Minimal
The path to basic compliance is not complex. Start with p=none and collect 30 to 60 days of report data, fix any legitimate-sender gaps, then move to p=quarantine. After another 30 days, move to p=reject. Add DKIM signing on the way. Total elapsed time: three months. Total operational cost: trivial. Total effort: a backlog ticket.
For business owners and email marketers attending or following the event, the audit is also a reminder to run the same check on your own domain before someone else does it for you. The immediate steps for any organization are to move the domain policy to p=reject, or at least p=quarantine, for all domains that send email. A city government running the largest tech conference in Asia has less of an excuse than most.