If your business makes outbound calls in the United States and those calls are being labelled “Spam Likely” or going unanswered, STIR/SHAKEN is almost certainly part of the reason. It is the call authentication framework that US carriers use to decide how much to trust the caller ID your calls display — and if your provider does not have it properly implemented, your calls pay the price.
This guide explains what STIR/SHAKEN is, what the three attestation levels (A, B, C) mean for your calls, what the 2026 regulatory updates require, and what to look for in a compliant voice provider.
What Is STIR/SHAKEN?
STIR/SHAKEN is a framework of protocols developed to combat illegal caller ID spoofing — where bad actors display a fake phone number to deceive the person receiving the call. The name combines two separate standards: STIR (Secure Telephone Identity Revisited) is the underlying technical protocol, and SHAKEN (Signature-based Handling of Asserted information using toKENs) is the implementation framework US carriers use to deploy it.
Here is how it works at a high level: when your business places a call, your voice provider (the originating carrier) digitally signs that call with a cryptographic certificate. The certificate records the caller ID presented, when the call was made, and — critically — how confident the carrier is that the caller ID is legitimate. This signed information travels with the call through the network. When the call reaches the recipient’s carrier (the terminating carrier), it verifies the signature and uses the attestation level to make decisions about how to handle or label the call.
| The framework was mandated by the TRACED Act (2019) and the FCC’s subsequent rules. All major US voice service providers were required to implement STIR/SHAKEN by June 2021. Since then, the FCC has progressively tightened requirements — most significantly with 2026 updates that added annual recertification obligations and proposed enhanced Know-Your-Upstream-Provider (KYUP) rules. |
The Three Attestation Levels: A, B, and C
The single most important concept in STIR/SHAKEN for a business customer is the attestation level your calls receive. Attestation is the carrier’s statement about what it knows regarding the caller’s identity and their right to use the number being presented. There are three levels:
| Level | Name | What it means | Impact on calls |
| A | Full Attestation | The carrier has verified the subscriber’s identity AND their right to use the calling number presented. | Lowest risk of spam labeling. Highest answer rates. |
| B | Partial Attestation | The carrier verified the subscriber’s identity but cannot confirm they are authorised to use that specific number. | Medium risk. May trigger warnings on some networks. |
| C | Gateway Attestation | The carrier received the call from another carrier but cannot verify the original caller’s identity at all. | Highest risk of spam labeling or call blocking. |
| Real-world example: A VoIP provider in the US found that when their upstream carrier signed outbound calls at A-level attestation, calls connected normally. When the upstream carrier quietly changed those calls to C-level attestation, the same customers’ calls began getting flagged and blocked — with no change to the customer’s own setup. This illustrates why choosing a carrier with proper STIR/SHAKEN implementation is a business-critical decision, not just a compliance checkbox. |
Who Is Required to Implement STIR/SHAKEN?
STIR/SHAKEN obligations apply to voice service providers (VSPs), not to individual businesses using those providers. If you are buying SIP trunking, hosted PBX, or cloud calling from a VoIP provider, your obligation is to choose a provider that has properly implemented the framework — not to implement it yourself.
The FCC categorises providers by their implementation obligations:
| Provider Type | STIR/SHAKEN Obligation |
| Originating VSP (your voice provider) | Must sign outgoing calls with STIR/SHAKEN. Must file in the Robocall Mitigation Database (RMD). |
| Intermediate provider | Must pass STIR/SHAKEN identity headers through. Cannot downgrade attestation level. |
| Terminating VSP (recipient’s carrier) | Must verify STIR/SHAKEN signatures and may use them to label or block calls. |
| Business customer (you) | Must use a compliant originating VSP. No direct FCC STIR/SHAKEN obligation to implement. |
The Robocall Mitigation Database (RMD): What It Is and Why It Matters
The Robocall Mitigation Database is an FCC-maintained public registry where every US voice service provider must file a certification of their STIR/SHAKEN implementation status and their robocall mitigation programme. If a provider is not in the RMD with an active, current filing, terminating carriers are legally required to block traffic they send directly.
The RMD became significantly more demanding in 2026:
- Annual recertification required: Beginning 2026, providers must recertify their RMD filing every year. The first annual recertification deadline was March 1, 2026 (with the recertification window opening February 1, 2026). Providers who miss recertification have their filing rendered inactive.
- 10-business-day update rule: Any change to the information in a provider’s RMD filing — ownership, contact details, STIR/SHAKEN status — must be updated within 10 business days. This rule became effective February 5, 2026.
- CORES information synchronisation: A provider’s FCC CORES (Communications Data Management System) registration, tied to their FCC Registration Number (FRN), must also be updated within 10 business days of any changes.
- Increased penalties: The FCC raised base forfeiture amounts to $10,000 for filing false or inaccurate RMD information, and $1,000 for failing to update an RMD filing within the required timeframe.
| ✅ BUYER’S DUE DILIGENCE |
| What this means for buyers: A provider can have had a valid RMD filing and then let it lapse — through a missed recertification or a stale filing — without any visible change to how they present themselves to customers. Before signing a voice services contract, ask your provider to confirm their RMD filing status and provide their provider identifier. You can verify directly at the FCC’s RMD portal. |
What the May 2026 FCC FNPRM Changes (And Why It Matters Right Now)
On May 20, 2026, the FCC adopted a Further Notice of Proposed Rulemaking (FNPRM) that proposes the most significant expansion of STIR/SHAKEN obligations since the framework was first deployed. While these are proposed rules — not yet final — they signal where US voice regulation is heading and affect decisions businesses should be making today about their carrier relationships.
1. Enhanced Know-Your-Upstream-Provider (KYUP) Requirements
Currently, providers have broad flexibility in how they fulfil their KYUP obligation — essentially, they must take “reasonable steps” to know who they are accepting traffic from. The FNPRM proposes to replace this flexibility with specific, codified requirements across five categories:
- Information collection: Providers would be required to collect specific business, financial, and ownership information from every upstream provider — including company identity, ownership structure, regulatory history, and the types of services and customers they serve.
- Compliance review: Providers would need to confirm that every upstream provider has a current RMD filing, has obtained a Service Provider Code (SPC) token if they certified STIR/SHAKEN implementation, is not on the Foreign Adversary Control System, has not had an FCC licence revoked, and has not been subject to FCC enforcement action.
- Traceback history evaluation: Providers would be required to evaluate an upstream provider’s history of responding to traceback requests — industry investigations into the origin of suspected illegal calls.
- Monitoring obligations: Providers would need to implement baseline ongoing monitoring: regularly checking upstream providers’ compliance, using call analytics to identify suspect traffic, and acting when a provider shows signs of non-compliance.
- Refusal of service: Providers would be required to refuse service from upstream providers that fail KYUP checks — closing the current loophole where providers can continue accepting traffic from known bad actors.
2. Raising STIR/SHAKEN Attestation Standards
The FNPRM also proposes to tighten the criteria required before a provider can assign each attestation level — particularly A-level (Full Attestation). Under current practice, some providers assign A-level attestation too loosely. The proposed rules would codify the ATIS attestation standards into FCC rules, making specific requirements legally binding rather than voluntary industry guidelines.
For businesses, this means A-level attestation on calls from a compliant provider will carry more trust, while calls from providers that have been assigning A-level too liberally may see those calls re-evaluated.
3. Closing STIR/SHAKEN Loopholes
The FNPRM targets specific loopholes that allow calls to move through the network without reliable authentication. These include scenarios where calls are handed off between carriers in ways that strip or degrade the STIR/SHAKEN information, and where providers exploit definitional gaps about which types of voice service are covered.
| Timeline note: The May 20 FNPRM is a Notice of Proposed Rulemaking — it opens a comment period before rules are finalised. Final rules typically take 6–18 months after an FNPRM. However, providers who are already ahead of these requirements — with documented KYUP processes and tight RMD compliance — will face minimal disruption when final rules arrive. |
How STIR/SHAKEN Affects Your Business Calls
Even though STIR/SHAKEN is a carrier-level framework, its effects land squarely on your business. Here are the practical ways it shows up:
Spam Labeling
Terminating carriers — including T-Mobile, AT&T, and Verizon — use STIR/SHAKEN attestation levels, combined with their own analytics, to decide whether to label an incoming call as “Spam Likely” or “Scam Likely.” Calls with C-level attestation, or no attestation at all, are significantly more likely to receive these labels. Once your number is labelled, recipients often decline to answer, dramatically reducing the effectiveness of any outbound calling programme.
Call Blocking
Beyond labeling, carriers can block calls entirely. The FCC explicitly authorises terminating carriers to block calls that show signs of illegal spoofing or that come from providers with inactive or missing RMD filings. If your provider’s RMD filing lapses — through a missed annual recertification, for instance — terminating carriers are required to block their traffic.
Answer Rates
Answer rates for business calls have declined broadly over the past five years as consumers have become more sensitive to unknown numbers. STIR/SHAKEN is one of the few mechanisms that can actually improve answer rates — because carriers can display “Verified” indicators (on compatible devices) for calls that pass A-level attestation. These verified badges meaningfully increase the likelihood that recipients answer.
Regulatory Liability (for Providers)
If you are a reseller of voice services — for example, you resell SIP trunking to other businesses — STIR/SHAKEN obligations and penalties apply to you directly. The FCC’s KYUP requirements mean you are responsible for understanding the compliance status of the providers above you in the call path.
Choosing a STIR/SHAKEN-Compliant Voice Provider: What to Check
Not all providers who claim STIR/SHAKEN compliance deliver it equally. Here is what to verify before signing a voice services agreement:
| What to ask | What to look for |
| RMD filing status | Confirm the provider has an active, current RMD filing. Ask for their provider identifier and verify it yourself at the FCC portal. Confirm they completed the March 1, 2026 recertification. |
| Attestation level for your calls | Ask specifically what attestation level your outbound calls will receive. A provider who cannot answer this directly is a red flag. For most business phone numbers, A-level is achievable and should be the expectation. |
| SPC token | Providers who certified full or partial STIR/SHAKEN implementation are required to obtain a Service Provider Code (SPC) token from the STI Governance Authority. Ask for confirmation this is in place. |
| KYUP process | Ask how the provider vets its own upstream providers. With enhanced KYUP rules incoming, providers with documented processes are lower risk. |
| Traceback participation | Active providers respond to traceback requests promptly. Providers with histories of failed traceback responses are higher risk under the proposed FNPRM rules. |
| Call labeling remediation | Ask whether the provider has a process to help you address call labeling issues if they arise — including relationships with carrier analytics providers. |
STIR/SHAKEN and SIP Trunking: What Changes
For businesses using SIP trunking — where you connect your own PBX or UCaaS platform to a carrier’s network — STIR/SHAKEN has specific implications worth understanding:
- Number ownership verification: To receive A-level attestation, your SIP trunk provider needs to be able to verify that you are authorised to use the DIDs (phone numbers) assigned to your trunk. This is straightforward when your numbers are assigned to you directly by the provider. It becomes more complex if you are porting numbers in or using numbers from multiple sources — ensure your provider has a verification process that supports A-level for all your numbers.
- Outbound caller ID configuration: Calls that present a caller ID that does not match any number verified to your account will typically receive C-level attestation at best. Ensure your PBX is configured to present only verified numbers on outbound calls.
- Intermediate carrier hops: Every carrier that handles your call in transit must pass STIR/SHAKEN identity information through correctly. Providers that route through multiple unvetted intermediate carriers introduce downgrade risk at each hop. Prefer providers with direct interconnects to major US carriers.
- International calls originating in the US: Outbound international calls that originate from US numbers are subject to STIR/SHAKEN on the US leg. Cross-border calls arriving from outside the US are subject to separate FCC rules (also addressed in the May 2026 FNPRM) that extend some STIR/SHAKEN-like protections to foreign-originated traffic.
| 🔒 IDT EXPRESS COMPLIANCE STATEMENT |
| IDT Express and STIR/SHAKEN: IDT Express maintains full STIR/SHAKEN implementation as a licensed US voice carrier. Outbound calls on IDT Express SIP trunks and DID numbers are signed with appropriate attestation. Our RMD filing is current and recertified. For enterprise customers concerned about attestation levels and call labeling, contact our team — we can review your specific number configuration and outbound call flows to ensure you are getting the highest attestation level your setup supports. |
Common STIR/SHAKEN Misconceptions
“My calls aren’t spam — I don’t need to worry about this”
STIR/SHAKEN is not just a tool to combat scammers. Legitimate businesses with compliant calling practices but poorly-implemented STIR/SHAKEN on their carrier’s side still suffer from spam labeling. The framework cannot distinguish intent — it authenticates caller ID and attestation level. If your carrier has C-level attestation issues, your legitimate calls suffer the same consequences as bad actors.
“STIR/SHAKEN only applies to robocalls”
The TRACED Act and FCC rules apply to all voice calls in the US, including individual calls placed by humans through business phone systems. Any call that uses a VoIP carrier (which includes essentially all SIP trunking and cloud telephony) is subject to STIR/SHAKEN.
“If I pass STIR/SHAKEN I won’t be labelled as spam”
STIR/SHAKEN is one input into carrier spam labeling decisions, but not the only one. Carriers also use call analytics that look at calling patterns, consumer complaints, and number history. A-level attestation significantly reduces spam labeling risk, but businesses with aggressive calling patterns can still be labelled even with full attestation. STIR/SHAKEN compliance and responsible calling practices go together.
“My carrier has STIR/SHAKEN so I’m fully covered”
Implementation quality varies significantly between carriers. A provider can be technically STIR/SHAKEN-implemented while routinely assigning C-level attestation on calls that qualify for A-level, or while routing through intermediate carriers that degrade attestation. Ask specifically what attestation level your calls receive, not just whether the provider is “STIR/SHAKEN compliant.”
STIR/SHAKEN, TCPA, and 10DLC: How the Three US Frameworks Connect
US business communications in 2026 operate under three major regulatory frameworks, each targeting a different channel:
| Framework | Channel | What it governs |
| STIR/SHAKEN | Voice calls | Call authentication: verifies that the caller ID on outbound calls is legitimate and assigns attestation levels that affect how recipient carriers handle calls. |
| 10DLC | A2P SMS | Campaign registration: requires businesses sending bulk text messages to US numbers to register their brand and messaging campaigns with The Campaign Registry. |
| TCPA | Voice + SMS | Consumer consent: governs the conditions under which businesses may contact consumers by phone or text, including consent requirements, opt-out handling, and calling hours. |
These frameworks are complementary, not interchangeable. A business running compliant SMS campaigns under 10DLC still needs STIR/SHAKEN-compliant voice infrastructure. A business with full STIR/SHAKEN attestation still needs TCPA-compliant consent practices for any outbound marketing calls. Understanding all three is the foundation of a compliant US communications programme.
Frequently Asked Questions
What does STIR/SHAKEN stand for?
STIR stands for Secure Telephone Identity Revisited, and SHAKEN stands for Signature-based Handling of Asserted information using toKENs. STIR is the technical protocol (developed by IETF) and SHAKEN is the US carrier implementation framework (developed by ATIS/SIP Forum). Together they define how US carriers digitally sign and verify the caller ID information attached to voice calls.
Is STIR/SHAKEN the same as caller ID verification?
STIR/SHAKEN is a specific technical and regulatory framework for cryptographically signing and verifying caller ID information. It is more rigorous than older caller ID systems, which could be easily spoofed. However, it is not a guarantee that the caller ID displayed is the business’s primary number — it verifies that the originating carrier has attested to the call’s authenticity at the level indicated (A, B, or C).
Why are my calls still going to spam if my provider has STIR/SHAKEN?
The most common reasons are: (1) your calls are receiving B or C-level attestation rather than A-level, (2) your carrier routes through intermediate carriers that degrade the attestation, (3) your calling patterns or complaint history have triggered separate analytics-based labeling independent of STIR/SHAKEN, or (4) you are presenting caller IDs that your carrier cannot verify as belonging to you. Ask your provider specifically what attestation level your calls receive and review your outbound caller ID configuration.
What is the Robocall Mitigation Database?
The Robocall Mitigation Database (RMD) is an FCC-maintained public registry where all US voice service providers must file their STIR/SHAKEN implementation status and robocall mitigation programme. Providers with inactive or missing RMD filings can have their traffic blocked by terminating carriers. From 2026, providers must recertify their RMD filing annually by March 1.
What changed with STIR/SHAKEN in 2026?
Two major developments: first, the FCC introduced mandatory annual RMD recertification (first deadline March 1, 2026) with increased penalties for late or inaccurate filings. Second, on May 20, 2026, the FCC adopted a Further Notice of Proposed Rulemaking proposing significantly enhanced Know-Your-Upstream-Provider requirements, stricter attestation standards, and closure of loopholes that allow calls to pass without proper authentication. These proposed rules are not yet final but signal where enforcement is heading.
Do small businesses need to worry about STIR/SHAKEN?
Small businesses do not implement STIR/SHAKEN themselves — that is the carrier’s job. But small businesses are affected by their carrier’s implementation quality. If you use a SIP trunk or cloud phone system and your outbound calls are being labelled as spam or not answered, your carrier’s attestation level is very likely a factor. Choosing a carrier with robust STIR/SHAKEN implementation and A-level attestation is the most effective action a small business can take.
What is Know-Your-Upstream-Provider (KYUP)?
KYUP is an FCC obligation requiring voice carriers to conduct due diligence on the providers above them in the call path — to know who they are accepting traffic from and to confirm those providers are compliant. The May 2026 FNPRM proposes to codify specific KYUP requirements: collecting provider information, confirming RMD and SPC token status, evaluating traceback history, monitoring ongoing compliance, and refusing service from non-compliant providers.
About IDT Express
IDT Express is a carrier-grade communications provider with over 25 years of experience in US and international voice and messaging. Our SIP trunking, DID numbers, and A2P SMS services are built on fully STIR/SHAKEN-compliant infrastructure with current RMD filing. For businesses looking for a compliant US voice carrier with transparent pricing and enterprise-grade reliability, contact our team or start a free trial today.
