What is STIR/SHAKEN?

The Problem STIR/SHAKEN Solves

For decades, caller ID was an honor system. The originating phone system inserted whatever calling number it wanted into the call setup, and the receiving network displayed it. There was no cryptographic verification, no chain of trust, and nothing stopping a bad actor from putting any number they liked into the From field.

This broke spectacularly with VoIP. Anyone with an internet connection and a SIP trunk could spoof any number, anywhere in the world. The result was a flood of illegal robocalls, neighbor-spoofing scams, vishing attacks, and call-center fraud. Consumers stopped answering calls from unknown numbers, which hurt legitimate businesses too.

STIR/SHAKEN is the industry response: a framework that lets originating carriers digitally sign the caller ID on each call, and lets terminating carriers verify the signature before the call reaches the recipient.

STIR vs SHAKEN

The two terms get used together, and the distinction matters:

• STIR (Secure Telephone Identity Revisited) is a set of IETF standards (RFC 8224 and related) that define how to attach cryptographic signatures to SIP calls.
• SHAKEN (Signature-based Handling of Asserted information using toKENs) is the ATIS/SIP Forum framework that defines how STIR gets deployed across the US telephone network: certificate authorities, governance, attestation levels, and call flow.

STIR is the technology. SHAKEN is the operational deployment.

Attestation Levels

When an originating carrier signs a call, it includes one of three attestation levels indicating how confident it is that the calling party is entitled to use the displayed number:

• A (Full Attestation): The carrier knows the customer and has verified that the customer is authorized to use the calling number. This is the highest level. Direct customers of the originating carrier with assigned numbers usually get A attestation.
• B (Partial Attestation): The carrier knows the customer but hasn't verified the customer's right to use the specific calling number. Common for resellers and aggregators where the upstream carrier knows who's calling but not which number they're entitled to.
• C (Gateway Attestation): The carrier knows where the call entered its network but not the originating customer or their entitlement to the number. Common for international calls or calls coming in from non-STIR/SHAKEN networks.

Terminating carriers and analytics providers use these attestation levels to score call legitimacy. Calls with A attestation are far more likely to display a verified caller ID indicator and to ring through. Calls with C attestation are more likely to be flagged as suspicious or routed to voicemail.

FCC Mandate and Timeline

The FCC has been pushing STIR/SHAKEN deployment since 2019. Key dates:

• June 30, 2021: Large voice service providers required to implement STIR/SHAKEN on their IP networks.
• June 30, 2022: Small voice service providers (under 100,000 subscriber lines) required to implement, with extensions for facility-based smaller providers.
• June 30, 2023: Gateway providers required to authenticate calls coming in from non-IP networks and from foreign carriers.
• Ongoing: Continued tightening of robocall mitigation requirements, with the FCC's Robocall Mitigation Database and certifications required from all originating carriers.

The FCC also requires non-compliant carriers to be blocked at the gateway. Carriers that don't authenticate calls or that allow illegal robocalls to traverse their networks face serious enforcement.

Impact on Outbound Contact Centers

STIR/SHAKEN matters for any business that makes outbound calls, especially contact centers, debt collectors, healthcare reminder services, and political campaigns. Calls that don't get A attestation may end up displaying as "Spam Likely" or "Scam Likely" on customer phones, get auto-routed to voicemail, or get blocked entirely.

To get A attestation reliably, an outbound contact center needs to:

• Source phone numbers from a single carrier or a small number of carriers, with documented assignment
• Avoid spoofing (using numbers the carrier hasn't assigned to the business)
• Use the actual assigned number in the From field, not arbitrary numbers
• Register with the carrier as a verified caller, providing business documentation

Some carriers offer enhanced caller ID services that display the business name and verification status to recipients on supported devices. These build on STIR/SHAKEN attestation but layer on branding and verification information.

STIR/SHAKEN and TCPA

STIR/SHAKEN doesn't replace TCPA compliance. A call can be perfectly authenticated and still violate the TCPA if it's an autodialed marketing call to a mobile number without consent. The two frameworks address different problems: STIR/SHAKEN authenticates the caller ID; TCPA governs whether the call is allowed at all.

That said, the FCC treats them as connected. Carriers that fail to implement STIR/SHAKEN or that knowingly allow illegal robocalls to transit their networks face enforcement that can include TCPA-style penalties.

Limits

STIR/SHAKEN authenticates caller ID. It doesn't verify that the caller is who they say they are or that the call is legitimate. A scammer can still register a business number and use it to call people. STIR/SHAKEN only confirms that the number displayed is one the originating carrier has signed off on. The fight against fraudulent calls extends beyond authentication into analytics, blocking lists, and consumer education.