Regulations

What STIR/SHAKEN means for outbound call deliverability

Understand attestation levels, how identity verification works, and what callers can do to improve trust on the receiving end.

By Fiona McDonnell

Over the last couple of years, the number of fraudulent and spam phone calls being made to American phone numbers has been steadily on the rise. To help combat this problem the Federal Communications Commission (FCC) has developed a new framework SHAKEN/ STIR- which stands for Secure Handling of Asserted information using toKENs (SHAKEN) / Secure Telephony Identity Revisited (STIR).

Key points

SHAKEN/STIR verifies whether a call is legitimately associated with the number shown on caller ID.
It helps carriers and recipients distinguish trusted calls from potentially spoofed ones.
Adoption of the framework is a major part of ongoing robocall mitigation efforts.

What is SHAKEN/STIR?

SHAKEN/STIR is a new technology standard developed by industry experts to combat the rise in fraudulent robocalls and illegal phone number spoofing.

In the framework, originating service providers assign an attestation level to calls made on their network and assign a signed token that is included as a header in the SIP INVITE which is passed to the terminating service provider (TSP). The signature on the token is validated by a verification service and the call is sent to the recipient. The TSP can either pass along the verification results to the called party or take additional action, such as blocking the call.

Sign up for emails of our latest articles and news

What is Attestation?

SHAKEN/STIR has a three-level system to categorize the essential information about the caller into levels of “attestation” for the call. The different levels describe the level of trust or proof a provider has in the caller’s right to use that particular number, with attestation levels ranging from 'A' to 'C'.

What are the differences between A, B, and C attestation?

Full Attestation (A): The provider knows the customer, knows they have a right to use the originating number, and knows that the call originated on their network. For numbers purchased in the Telnyx portal, you should expect to receive an 'A Attestation'.

Partial Attestation (B): The provider knows the customer but the customer may be using another provider's phone number. The call is legitimate but the provider can’t fully attest because of missing information.

Gateway Attestation (C): The provider can’t verify the customer or the phone number and has no way of knowing whether the call is legitimate. The originating provider will still attest to the call in order to mark that the call originated on their network.

For an in-depth review of the requirements for each level, check out our previous post which takes deep dive into attestation.

What attestation can a Telnyx customer expect?

Telnyx customers who have purchased numbers from Telnyx can expect to receive an A attestation. If a Telnyx customer is using a number that is not on the Telnyx portal, the customer will be assigned a B attestation.

Telnyx customers with HVSD traffic can expect B attestation.

Is there a way that Telnyx customers can have their attestation increased?

Customers who would like to receive an A attestation should consider porting their numbers over to the Telnyx portal. With Fastport, customers can port their numbers to Telnyx in just a few clicks while maintaining complete control and transparency throughout the porting process.

In the case where this is not possible, the customer must meet the below requirements to be considered for increased attestation:

They must be a committed customer
They cannot have any Traceback complaints or subpoenas related to fraud.
They should have a KYC (know your customer) vetting system to ensure that bad actors cannot get on their network.

Will Telnyx customers be notified if we add attestations to their calls and what attestation they received?

Telnyx is fully compliant with SHAKEN/STIR and, as such, all calls originating on the Telnyx network will receive an attestation. There is no action required from the customer.*

The customer will not be notified of the attestation it receives from Telnyx but customers should be able to predict attestation level based on the requirements outlined in the above questions.

*Telnyx will sign and attest to any outbound call that is not signed by our customer. Customers, however, should be aware of any applicable regulatory requirements to directly participate in the SHAKEN/STIR ecosystem and to sign their own calls as mandated by the Federal Communications Commission. Telnyx will pass SHAKEN signatures along that we receive in any outbound calls.

Can providers block inbound calls based on attestation?

Providers are not allowed to block calls based solely on attestation level, but the FCC has provided safe harbors to terminating providers who leverage authentication data to influence their filters. For more information on how to ensure your calls do not get caught by terminating spam filters, check out this support article.

How does Telnyx plan to handle attestations for self-service customers?

If the self-service customer provides all the required information on sign-up, and they have bought/ ported numbers to Telnyx they will receive attestation A.

In the case of MSPs, does Telnyx only provide 1 Token?

Yes, Telnyx provides just 1 Token for all customers, inclucding MSPs. As a participant of the Industry Traceback Group, Telnyx strongly encourages every customer leveraging termination services through Telnyx to register as an ITG participant so that we can work together to end illegal robocalls and protect consumers from fraudulent behavior.

Is there an additional cost for customers who want to authenticate traffic?

The FCC has mandated that service providers cannot charge for SHAKEN/ STIR services and so it will be free to all Telnyx customers.

What happens to inbound calls that are signed by other providers/ customers?

Customers will see inbound calls with identity headers come thorugh. Inbound calls with A attestation and a valid token will now have the 'verstat' parameter added to P-Asserted-Identity headers.

If you still have questions surrounding SHAKEN/ STIR and Traceback, please get in touch with our team of experts.

What is STIR/SHAKEN? STIR/SHAKEN is a framework for authenticating caller ID on IP-based voice, using cryptographic signatures to verify that a call’s displayed number is legitimate. It helps curb spoofing and restores caller trust across modern voice networks.

How does STIR/SHAKEN work? The originating service signs the call with a digital certificate and an attestation level in the SIP Identity header. The terminating provider verifies the signature and sets a verification status that downstream analytics and devices can use.

How do you get STIR/SHAKEN capability? Providers that sign calls need proper authorization, including regulatory filings and certificates from the industry governance authority. If you use a carrier or CPaaS, they sign on your behalf while you integrate through a developer documentation hub.

Is STIR/SHAKEN effective? It has significantly reduced domestic caller ID spoofing on IP routes but is not a complete solution. Gaps remain for non-IP call legs, some international traffic, and bad actors that shift tactics.

How do you block spoofed calls? Use a layered approach that includes analytics-based blocking, reputation scores, allow and deny lists, and strict handling for unknown numbers. Educate users not to share sensitive information on unexpected calls and to report suspicious activity.

Does STIR/SHAKEN apply to SMS or MMS? No, STIR/SHAKEN secures caller ID for voice only, while messaging follows separate policies and channel rules defined by the SMS vs. MMS distinction. Messaging trust often relies on registration, vetting, and sender policies rather than call signing.

How is caller ID authentication different from messaging identity? Caller ID authentication verifies the phone number used on a live voice session, whereas messaging identity concerns the sender used in multimedia campaigns documented in what is MMS messaging. The controls, transport, and compliance models differ, so do not assume voice rules apply to messaging.

Ask AI