Skip to content
DialPhone
Start free trial

Glossary · STIR/SHAKEN

What is STIR/SHAKEN?

STIR/SHAKEN (Secure Telephone Identity Revisited / Signature-based Handling of Asserted information using toKENs) is a framework of technical standards and protocols for authenticating caller ID information on phone calls. Required by the FCC for US voice carriers under the TRACED Act, STIR/SHAKEN verifies that the calling number is legitimately associated with the originating carrier, reducing caller ID spoofing, robocalls, and fraud. Legitimate business calls get cryptographically signed; calls from unknown or untrusted origins get flagged as “Spam Risk” or rejected.

Why STIR/SHAKEN exists

Traditional phone signaling (SS7) was designed in an era when carriers trusted each other implicitly. Caller ID was whatever the originating carrier put in the signaling header. Fraudsters learned to spoof caller ID, displaying numbers they don’t own, sometimes numbers of local neighbors, law enforcement, or banks, to trick recipients.

By 2019, Americans received an estimated 50 billion robocalls per year. STIR/SHAKEN is the industry’s cryptographic response.

How STIR/SHAKEN works

When a call originates:

  1. Originating carrier authenticates the caller’s right to use the calling number
  2. Carrier assigns an attestation level:
    • A (Full Attestation): carrier confirms the caller owns the number
    • B (Partial Attestation): carrier knows the caller but cannot verify the number assignment
    • C (Gateway Attestation): carrier received the call from another network and cannot verify
  3. Carrier digitally signs the SIP INVITE with a certificate (STIR protocol)
  4. Transit carriers pass the signed call through without modification
  5. Terminating carrier verifies the signature (SHAKEN protocol)
  6. Terminating carrier passes the verified call (or labels it “Spam Risk”) to the called phone

Consumer-visible result: calls display “Verified” or similar trust indicators when properly signed. Unsigned or invalid calls may be labeled as spam risk or blocked entirely.

STIR vs SHAKEN

  • STIR (Secure Telephone Identity Revisited): the IETF technical standards for cryptographic signing (RFC 8224-8226 and related)
  • SHAKEN (Signature-based Handling of Asserted information using toKENs): the carrier-network operational framework that uses STIR for authentication between carriers

They’re complementary. STIR is the protocol; SHAKEN is the implementation.

STIR/SHAKEN and business calls

For legitimate business callers, STIR/SHAKEN matters because:

  • Calls get signed at Attestation Level A when the carrier can verify number ownership
  • Signed calls have higher delivery rates: less likely to be labeled spam
  • Call recipients see trust indicators: more likely to answer
  • Bad actors get filtered out: competitive advantage for legitimate senders

DialPhone signs all outbound calls from verified DialPhone-assigned numbers at Attestation Level A when possible. Ported numbers verify through DialPhone’s Letter of Authorization process and receive A or B attestation depending on verification depth.

STIR/SHAKEN and call blocking

The FCC permits carriers to block certain traffic:

  • Unsigned calls from verified illegal sources
  • Calls signed at low attestation from networks with history of abuse
  • Calls failing signature verification

This matters for outbound campaigns: a call that appears legitimate to the sender can still be blocked by the recipient’s carrier if it fails STIR/SHAKEN validation at the network level.

STIR/SHAKEN and robocalls

STIR/SHAKEN isn’t a silver bullet against robocalls:

  • It reduces spoofing: bad actors can’t impersonate banks or law enforcement easily anymore
  • It doesn’t stop all spam: calls from signed numbers can still be spam if the caller is a registered scammer
  • Scammers have adapted: using VoIP services that offer full attestation
  • Carrier analytics layer on top, filtering based on patterns even for signed calls

The overall impact since 2020 has been meaningful (measurable robocall reduction) but far from eliminated.

STIR/SHAKEN timeline

  • 2019: TRACED Act signed into law
  • June 30, 2021: STIR/SHAKEN implementation deadline for large voice providers
  • June 30, 2022: Extended deadlines for small and non-IP voice providers
  • 2023: Small carriers phased compliance
  • Ongoing: Carriers that can’t verify caller identity face delisting and call-blocking pressure

Most US voice traffic is now STIR/SHAKEN-signed.

International caller ID authentication

STIR/SHAKEN is US-centric. Similar frameworks exist or are emerging in:

  • Canada: STIR/SHAKEN adopted by CRTC
  • UK: Ofcom requiring authentication solutions
  • France: ARCEP implementing caller ID authentication
  • Australia: ACMA developing framework

International calls crossing between regions without authentication typically carry less trust. Business callers with international reach should prefer local numbers in each region where possible.

STIR/SHAKEN and outbound dialing compliance

STIR/SHAKEN complements, doesn’t replace, TCPA and DNC compliance. Outbound dialers must:

  • Use STIR/SHAKEN-compliant infrastructure
  • Honor TCPA consent requirements
  • Scrub against National DNC Registry
  • Comply with 10DLC for SMS
  • Respect state-level rules

DialPhone’s outbound dialer handles all four.

What businesses need to do

For most businesses, nothing active. The carrier (DialPhone) handles STIR/SHAKEN. Things to verify:

  • Your voice provider is STIR/SHAKEN-compliant
  • Outbound calls from ported numbers sign at Level A or B
  • Monitor call delivery rates by campaign and investigate drops
  • Keep DNC scrubbing and TCPA consent current
  • If you use SIP trunking to a customer-operated PBX, verify your SBC signs properly

STIR/SHAKEN on DialPhone

  • All outbound calls signed per STIR/SHAKEN
  • Attestation Level A for DialPhone-assigned numbers
  • Attestation Level A or B for ported numbers (depending on verification depth)
  • Monitoring and alerts for attestation failures
  • Support for signed calls via Operator Connect for Microsoft Teams deployments

See the DialPhone trust center → · See outbound dialing compliance →

Example

A healthcare imaging center moved from a regional VoIP provider to DialPhone. Under the old provider, outbound appointment reminder calls were getting labeled “Spam Likely” on Verizon, patients weren’t answering. After switching to DialPhone with proper STIR/SHAKEN signing at Attestation Level A, answer rates on reminder calls rose from 41% to 74% in the first quarter. No change in the content of the calls, just proper caller ID authentication at the carrier level.

Caller ID spoofing — how it works and how STIR/SHAKEN stops it

Caller ID spoofing means altering the displayed calling number so it does not match the actual originating line. Traditional SS7 signaling never validated the “From” header — whatever the originating switch wrote, the terminating switch displayed.

Legal spoofing is common and legitimate:

  • A sales team displaying the company main number instead of each rep’s direct dial
  • A domestic violence shelter masking its location number behind a published support line
  • Doctors calling patients from a personal device while displaying the clinic number
  • Law enforcement displaying protected dispatch numbers

Illegal spoofing is defined under the Truth in Caller ID Act (47 USC 227(e)) and reinforced by the TRACED Act of 2019: altering caller ID with intent to defraud, cause harm, or wrongfully obtain anything of value. Penalties run up to $10,000 per violation, plus criminal liability.

How STIR/SHAKEN technically blocks illegal spoofing

The originating voice service provider (VSP) signs the call with a JSON Web Token (PASSporT) attached to the SIP INVITE. The token carries three claims: calling number, called number, and attestation level (A, B, or C). The signature uses a private key tied to a certificate issued by the Secure Telephone Identity Policy Administrator (STI-PA).

The terminating carrier validates the signature. Three outcomes are possible:

  • Valid signature, Level A — call passes with a “Verified” indicator on supported handsets
  • Valid signature, Level B or C — call passes but carries lower trust; analytics layers may still flag
  • No signature or invalid signature — call gets labeled “Spam Likely,” “Scam Likely,” or blocked outright

Why STIR/SHAKEN does not fully eliminate spoofing

Three real-world gaps remain:

  1. Non-IP networks. Legacy TDM gateways cannot pass the PASSporT token through. Calls hopping through a TDM segment lose the signature. The FCC granted extensions for non-IP segments through 2024 with phased compliance.
  2. International calls. Foreign carriers are not subject to FCC mandate. Inbound calls from outside the US arrive as gateway-attested (Level C) at best.
  3. Smaller VSPs. Providers with fewer than 100,000 subscribers had until June 2023 to comply. Bad actors deliberately route through these to evade signing.

The FCC’s Robocall Mitigation Database (RMD) requires every VSP to file a mitigation plan; carriers may refuse traffic from VSPs not listed.

STIR/SHAKEN attestation levels explained

Three attestation levels are defined in ATIS-1000074. They are not interchangeable — they signal how much the originating carrier knows about the caller and the number being displayed.

Level A — Full Attestation

The carrier has authenticated the caller (the customer is who they say they are) and confirmed the caller owns or is authorized to use the displayed number. Calls with Level A get full trust — modern Android and iOS surface a green checkmark or “Verified” badge. This is the gold standard for any outbound business calling.

Level B — Partial Attestation

The carrier has authenticated the caller but cannot directly verify the number being displayed belongs to that caller. Common scenarios: a call center using SIP trunking with a pool of rotating outbound numbers, or a CPaaS customer programmatically assigning DIDs from a shared inventory. The carrier vouches for the call’s origin but not the displayed identity.

Level C — Gateway Attestation

The call entered from another network (international gateway, peering interconnect, or legacy TDM segment). The carrier vouches for the entry point only. International and many transited business calls land here.

What attestation level your business gets

DialPhone signs outbound calls at Level A by default for DialPhone-assigned, KYC-verified numbers. Ported numbers reach Level A once LOA and CNAM ownership verification complete; until then, they sign at Level B. Shared SIP trunks where the carrier cannot verify number ownership end at Level B. International outbound and inbound foreign calls end at Level C. Industry studies show Level A answer rates 25-40% higher than Level C — attestation is the single biggest variable in outbound delivery.

What businesses must do to maintain Level A attestation

Level A is not automatic. Carriers can downgrade Level-A signing authority if KYC slips, complaints rise, or RMD filings lapse. To stay at Level A:

  1. Complete KYC verification. Business name, EIN, registered address, beneficial ownership — same documents a bank requires. DialPhone collects this at signup; Twilio and Bandwidth require additional KYC packages before Level A unlocks.
  2. Verify ownership of every outbound number. Each DID must be carrier-assigned or ported in with full LOA. Numbers acquired via informal transfer or sublease will not sign at Level A.
  3. Do not resell numbers to unrelated entities. FCC rules tightened in 2024 — passing assigned numbers to a third party breaks the attestation chain and is grounds for RMD de-listing.
  4. File a Robocall Mitigation Plan with the FCC. Every VSP and many enterprise voice users must maintain an RMD entry.
  5. Adhere to TCPA and DNC rules. Spam-flag triggers on signed-but-unwanted calls erode Level-A trust scores. Carriers can throttle or downgrade attestation on sustained complaint rates.
  6. Sign per-call using carrier-issued certificates. The signing cert is tied to the originating carrier and rotates regularly. Self-signed or borrowed certs invalidate the chain.
  7. Run reassigned-number database checks before dialing. Calling a reassigned number and generating a complaint is a fast track to a “Spam Likely” flag.

DialPhone handles all seven by default. Customers with valid business documentation get Level A attestation on day one.

STIR/SHAKEN impact on business outbound calls

The mandate changed outbound dialing economics. Industry benchmarks across sales, collections, and appointment-reminder use cases:

Answer rate impact

  • Pre-STIR/SHAKEN baseline: average B2B outbound answer rate 18-25%
  • Post-STIR/SHAKEN Level A: 28-38% — a 25-40% relative lift
  • Calls flagged “Spam Likely”: 4-12% answer rate — a 50-70% relative drop versus baseline

The spread between best case (Level A, clean reputation) and worst case (flagged number, Level C) is roughly 8x. A single attestation downgrade can collapse a campaign’s economics.

Cost impact of misattestation

For a sales team making 1,000 outbound calls per day, a 10-percentage-point answer-rate hit (dropping from Level A to a flagged Level C state) costs roughly 30 lost connects per day at typical 30% connect-to-conversation conversion. At $50 ACV per connect, that is $1,500 per day, or $390,000 annually, in lost pipeline.

Operational requirement

Monitor your Spam-Likely flag rate via your carrier’s reputation dashboard. DialPhone exposes per-number flag status across Hiya, First Orion, and TNS in a single panel. If flagging recurs, you may be sharing an IP range or number block with abusers — request reassignment to a clean range.

Caller ID reputation and how to recover from being flagged

Attestation is one input to reputation. Carrier analytics layers (Hiya, First Orion, TNS, Numeracle) apply their own scoring on top, based on call patterns, complaints, and similarity matching. A Level A number can still get tagged “Spam Likely” by a third-party analytics layer.

How numbers get flagged

  • High call volume on a virgin number. A brand-new DID making 500 calls in its first day looks like a burner.
  • Low pickup rate. Sustained answer rates under 10% trigger pattern matching against known abusers.
  • Spam complaints. A single iPhone “Report Junk” complaint feeds back into the analytics database within hours.
  • Similarity matching. Numbers in the same NPA-NXX block as known abusers get guilt-by-association flags.
  • High call-to-non-answer ratio. Calls going straight to voicemail at scale trigger “voicemail bombing” heuristics.

Recovery process

  1. Stop calling for 7-14 days. Reputation scores decay; a cooldown lets the flag age out of the active dataset.
  2. Submit a reputation-restoration request via the Free Caller Registry. FCR (freecallerregistry.com) covers AT&T, Verizon, T-Mobile, and most major MVNOs. Free, processes in 7-21 days.
  3. Re-warm with low daily call volume. Start with 50-100 calls per day in week one, then ramp to 200, 400. Avoid spikes.
  4. Track flag status across carriers. Hiya, First Orion, and Numeracle each maintain independent databases. A clean status on one does not guarantee clean status on others.
  5. Consider number rotation. High-volume use cases (collections, political dialing) rotate numbers weekly to stay ahead of analytics scoring.

The cost of staying flagged

A flagged number sees 40-60% lower contact rates indefinitely. Better to retire it and warm a new one than to keep dialing into a “Spam Likely” label.

STIR/SHAKEN frequently asked questions

What does STIR/SHAKEN actually do for me as a business?

STIR/SHAKEN cryptographically signs your outbound calls so the recipient’s carrier can verify the call came from a KYC-verified source displaying a number you own. Your legitimate calls are far less likely to be labeled “Spam Likely” and more likely to display “Verified” on the recipient’s handset. Answer rates rise 25-40% versus unsigned or low-attestation calls. For outbound sales, collections, or appointment reminders, this is the difference between a campaign that pays for itself and one that bleeds money.

How do I know if my number has Level A, B, or C attestation?

Ask your voice provider directly — they know which level they signed at. DialPhone surfaces attestation level per outbound call in the CDR panel. CPaaS providers like Twilio expose it in API response headers; SIP trunking providers expose it via the “Identity” header in the 200 OK response. If your provider cannot tell you what level your calls sign at, that itself is a red flag — switch providers.

Why are my legitimate business calls showing as “Spam Likely”?

Three common causes. First, low attestation — your carrier may sign at Level B or C because they cannot verify number ownership. Second, third-party analytics flagging — Hiya, First Orion, or TNS may have scored your number as spam-like based on call volume, pickup rate, or complaint history. Third, similarity matching — your number may share an NPA-NXX block with known abusers. Check attestation first; if Level A, submit reputation cleanup via Free Caller Registry.

Can STIR/SHAKEN block all spam calls?

No. STIR/SHAKEN authenticates that a call came from a known carrier displaying an attested number — it does not validate the call’s intent. A registered scammer with a verified number and Level A attestation can still place spam calls. What STIR/SHAKEN does well is make impersonation spoofing (pretending to be your bank, the IRS, or police) much harder. Spam from legitimate-looking sources persists and is addressed through analytics layers, TCPA enforcement, and consumer reporting.

Is STIR/SHAKEN mandatory for my business?

If you are a voice service provider (carrier, MVNO, CPaaS, hosted PBX), yes — the FCC TRACED Act mandates implementation and an RMD filing. If you are an end-user business (sales team, contact center, healthcare clinic), STIR/SHAKEN is not directly mandatory for you — but your voice provider must be compliant. Every business should confirm their carrier signs at Level A and exposes attestation reporting.

Does STIR/SHAKEN apply to international calls?

Only partially. STIR/SHAKEN is a US FCC mandate covering domestic interconnect. Inbound calls from foreign carriers arrive with Level C at best and frequently unsigned. Outbound calls from US carriers to international destinations get signed on the US side, but the foreign terminating carrier may not validate or display the signature. Canada (CRTC), the UK (Ofcom), France (ARCEP), and Australia (ACMA) are implementing parallel frameworks, but global interoperability is years away. Lean on local numbers in the destination country when answer rate matters.

Learn more about DialPhone

AI-powered business phone, SMS, meetings, fax, and contact center from $24/user/mo.

Start free trial Browse glossary
Call sales Start free trial