STIR/SHAKEN Attestation Levels Explained

STIR/SHAKEN is the industry standard for call authentication that helps combat illegal robocalls and caller ID spoofing. Understanding the three attestation levels (A, B, and C) is critical for telecom providers, enterprise communications teams, and compliance professionals. This comprehensive guide explains what each level means, how they impact call delivery and trust scores, and what steps you need to take to achieve proper attestation.

Key Takeaways

  • Full Attestation (A) provides the highest level of trust: the carrier knows both the caller and can verify their right to use the number
  • Partial Attestation (B) confirms the caller's identity but not their authority to use the specific phone number
  • Gateway Attestation (C) only verifies the call's entry point into the network, offering minimal trust
  • FCC requires voice service providers to implement STIR/SHAKEN or file in the Robocall Mitigation Database
  • Higher attestation levels result in better call delivery rates and reduced spam flagging

What is STIR/SHAKEN?

STIR/SHAKEN (Secure Telephone Identity Revisited / Signature-based Handling of Asserted Information Using toKENs) is a framework of interconnected standards developed to authenticate caller ID information in VoIP and IP-based telephone networks. The framework was mandated by the FCC to combat the epidemic of illegal robocalls and caller ID spoofing that costs Americans billions of dollars annually in fraud.

The system works by having originating carriers cryptographically sign calls with a digital certificate that includes information about the calling party and the carrier's level of confidence in that information. Terminating carriers then verify these signatures, allowing them to make informed decisions about call handling based on the attestation level.

Why STIR/SHAKEN Matters

Before STIR/SHAKEN, caller ID information was trivially easy to spoof. Scammers could make calls appear to come from any number they chose — including government agencies, banks, or even the victim's own family members. The consequences have been severe:

  • $29.8 billion lost to phone scams in 2021 alone
  • Erosion of trust in voice communications as consumers stopped answering unknown calls
  • Legitimate businesses suffering from dramatically reduced answer rates
  • Neighbor spoofing attacks where scammers use local area codes to increase answer rates

STIR/SHAKEN addresses these issues by creating an accountable chain of custody for calls, making it much harder for bad actors to operate anonymously.

The Three Attestation Levels Explained

When a voice service provider signs a call with STIR/SHAKEN, they include an attestation level that indicates their confidence in the calling party's identity and their right to use the calling number. There are three levels, designated A, B, and C.

Full Attestation (Level A)

Full Attestation provides the highest level of trust and indicates that the originating provider:

  1. Has a direct relationship with the customer making the call
  2. Can identify and authenticate the customer
  3. Has verified that the customer is authorized to use the calling telephone number

This is the gold standard for call authentication. When a call receives Full Attestation, it means the carrier is vouching for both the caller's identity and their legitimate right to use that specific number.

Examples of Full Attestation scenarios:

  • A carrier's own customer making calls from their assigned phone number
  • An enterprise customer with verified number assignments calling from those numbers
  • A business with direct contracts and number verification with the originating carrier

Calls with Full Attestation typically see the best call delivery rates, lowest spam flagging rates, and are most likely to display positively in carrier apps and call-blocking services.

Partial Attestation (Level B)

Partial Attestation indicates that the originating provider:

  1. Has a direct relationship with the customer
  2. Can identify and authenticate the customer
  3. Has NOT verified that the customer is authorized to use the specific calling number

This level is common in scenarios where carriers know who their customer is but cannot verify that the presented caller ID is actually assigned to that customer. It represents a middle ground of trust.

Examples of Partial Attestation scenarios:

  • Enterprise PBX systems where the carrier knows the trunk customer but not individual extensions
  • Hosted VoIP providers passing through calls from their customers
  • Call centers using numbers that haven't been explicitly verified against their carrier assignments
  • Legacy TDM interconnections where detailed caller verification isn't possible

While Partial Attestation is better than Gateway Attestation, calls at this level may still receive increased scrutiny from analytics engines and could be flagged as potential spam more frequently than Full Attestation calls.

Gateway Attestation (Level C)

Gateway Attestation provides the lowest level of trust and only indicates that the originating provider:

  1. Is the point where the call entered their network
  2. Cannot authenticate the caller or verify their right to use the calling number

This attestation level is essentially saying "this call came into our network here, but we don't know anything about who made it." While honest, this lack of information puts calls at a significant disadvantage.

Examples of Gateway Attestation scenarios:

  • International calls entering the US network where overseas caller verification isn't possible
  • Calls from foreign carriers with no STIR/SHAKEN implementation
  • TDM-originated calls where no caller information is available
  • Traffic from wholesale carriers who don't pass customer identity information

Calls with Gateway Attestation are the most likely to be flagged as suspicious, blocked by call-blocking apps, or sent to voicemail. Legitimate businesses should strive to avoid this attestation level whenever possible.

Verify your call attestation. Use traceback search to check how your calls are being authenticated across the network.

Traceback Search API

How Attestation Levels Impact Your Calls

Call Delivery Rates

Attestation levels directly influence whether your calls get answered. Analytics providers and carrier systems use attestation as a key input in their call-scoring algorithms:

Attestation Level Typical Answer Rate Impact Spam Flag Risk
Full (A) Highest answer rates Lowest risk
Partial (B) Moderate answer rates Medium risk
Gateway (C) Lowest answer rates Highest risk

Analytics and Trust Scores

Call analytics providers like First Orion, Hiya, and TNS incorporate STIR/SHAKEN attestation into their reputation scoring. A consistent pattern of low attestation levels can:

  • Lower your overall calling number reputation
  • Trigger "Scam Likely" or "Potential Spam" labels
  • Cause your calls to be auto-blocked on certain devices
  • Result in calls going directly to voicemail

Regulatory Scrutiny

The FCC uses STIR/SHAKEN data in its enforcement activities. Patterns of calls with mismatched or inappropriate attestation levels can trigger regulatory attention, particularly if those calls are associated with consumer complaints or suspected illegal robocalling campaigns.

How to Achieve Full Attestation

Step 1: Work with STIR/SHAKEN-Compliant Carriers

Your originating carrier must be able to sign calls with proper attestation. Verify that your voice service provider:

  • Has obtained a STIR/SHAKEN certificate from an authorized Certificate Authority
  • Has implemented the necessary signing infrastructure
  • Supports Full Attestation for verified customers
  • Is listed in the FCC's Robocall Mitigation Database with proper filings

Step 2: Verify Your Number Assignments

To receive Full Attestation, your carrier must be able to verify that you're authorized to use the calling numbers. This typically requires:

  • Letters of Authorization (LOAs) for ported numbers
  • Number assignment records showing the numbers are allocated to you
  • Business verification confirming your identity and right to the numbers
  • Contract documentation linking specific number ranges to your account

Step 3: Implement Proper Call Origination

Technical implementation matters. Ensure your calling infrastructure:

  • Correctly populates caller ID information in SIP headers
  • Uses numbers that match your verified assignments
  • Doesn't override or manipulate caller ID in ways that break attestation
  • Maintains proper call routing to allow signature verification

Step 4: Monitor and Maintain

Attestation isn't a one-time setup. Ongoing maintenance includes:

  • Regular audits of your number inventory
  • Updating LOAs and verification when numbers change
  • Monitoring call analytics for attestation issues
  • Addressing any discrepancies promptly

Enterprise STIR/SHAKEN Considerations

Multi-Carrier Environments

Large enterprises often use multiple carriers and complex routing. In these scenarios:

  • Each carrier must independently verify your number rights
  • Calls may receive different attestation levels depending on routing
  • Consistent documentation across all carriers is essential
  • Consider consolidating voice services to simplify attestation management

Call Centers and BPOs

Business process outsourcers and call centers face unique challenges:

  • They often call on behalf of clients using client-branded numbers
  • Complex authorization chains are needed for proper attestation
  • Attestation responsibility may need to be delegated through contracts
  • Real-time number verification becomes critical at scale

UCaaS and CPaaS Platforms

Unified Communications and Communication Platform providers must:

  • Implement STIR/SHAKEN signing at the platform level
  • Verify customer number assignments before providing Full Attestation
  • Support proper attestation passthrough for enterprise customers
  • Provide transparency into attestation levels for troubleshooting

FCC Regulatory Requirements

Implementation Mandate

The FCC required all voice service providers to implement STIR/SHAKEN in the IP portions of their networks by June 30, 2021. Small carriers (those with 100,000 or fewer subscribers) received an extension until June 30, 2023.

Robocall Mitigation Database

All voice service providers must file in the FCC's Robocall Mitigation Database, certifying either:

  • Full STIR/SHAKEN implementation, or
  • A robocall mitigation program describing alternative measures

Carriers that haven't filed are subject to blocking by other providers. Check the database regularly to ensure your carriers are compliant.

Governance Authority

The STIR/SHAKEN Governance Authority (STI-GA) oversees the policy framework, while STI-PA (Policy Administrator) manages the certificate issuance process. These bodies work with the FCC to ensure the framework operates effectively.

Troubleshooting Attestation Issues

Common Problems and Solutions

Issue Possible Cause Solution
Calls receiving C attestation unexpectedly Carrier can't verify number authorization Submit LOAs and number verification documents
Mixed attestation levels for same number Routing through different carriers Ensure all carriers have proper verification
No attestation on calls Carrier hasn't implemented STIR/SHAKEN Switch to a compliant carrier
Attestation mismatch errors Caller ID doesn't match verified numbers Audit calling number configuration

Using Traceback for Attestation Verification

Industry traceback mechanisms allow you to verify how your calls are being signed and processed across the network. Use traceback search capabilities to:

  • Confirm your calls are receiving expected attestation levels
  • Identify carriers in your call path that may be causing issues
  • Document your call authentication for compliance purposes
  • Troubleshoot delivery issues related to attestation

Future Developments in Call Authentication

Rich Call Data (RCD)

The next evolution of STIR/SHAKEN includes Rich Call Data, which allows carriers to transmit additional information about callers, including:

  • Verified business name and logo
  • Call purpose or reason
  • Enhanced caller branding

This will further differentiate legitimate business calls and improve answer rates for authenticated callers.

Delegated Certificates

Enterprise customers may eventually be able to obtain their own STIR/SHAKEN certificates, allowing them to sign calls directly rather than relying on carrier attestation. This could provide:

  • Greater control over call authentication
  • More consistent attestation across carriers
  • Enhanced accountability for enterprise calling

STIR/SHAKEN Best Practices

  1. Audit your number inventory — Know exactly which numbers you have authorization to use
  2. Document everything — Maintain current LOAs and assignment records
  3. Choose compliant carriers — Work with providers that have robust STIR/SHAKEN implementation
  4. Monitor attestation levels — Regularly check how your calls are being signed
  5. Address issues promptly — Don't let attestation problems persist
  6. Stay informed — Keep up with regulatory changes and industry developments
  7. Use analytics — Leverage call analytics to understand your call delivery performance
  8. Coordinate across teams — Ensure telecom, IT, and compliance teams are aligned

Frequently Asked Questions

What is the difference between STIR and SHAKEN?

STIR (Secure Telephone Identity Revisited) is the set of IETF standards that define how caller identity information is authenticated cryptographically. SHAKEN (Signature-based Handling of Asserted Information Using toKENs) is the implementation framework developed by ATIS and SIP Forum that specifies how carriers deploy STIR in their networks. Together, they form the complete call authentication system.

Can I get Full Attestation for toll-free numbers?

Yes, toll-free numbers can receive Full Attestation, but it requires proper number verification with your carrier. Since toll-free numbers are managed through Responsible Organizations (RespOrgs), your carrier needs documentation showing you're the authorized user of those numbers. Work with your carrier and RespOrg to ensure proper assignment records are in place.

Why are my calls showing different attestation levels on different days?

Variable attestation levels usually indicate routing inconsistencies. Your calls may be taking different paths through the network based on carrier routing decisions, load balancing, or failover scenarios. Each carrier in the path applies their own attestation based on their verification of your number rights. To fix this, ensure all potential originating carriers have proper documentation of your number authorizations.

Does STIR/SHAKEN stop all robocalls?

No, STIR/SHAKEN doesn't block calls directly — it provides authentication information that carriers and analytics providers use to make blocking decisions. It makes spoofing much harder and allows legitimate callers to prove their identity, but determined bad actors may still find ways to abuse the system. It's one important tool in the broader fight against illegal robocalls, not a complete solution.

What happens if my carrier doesn't support STIR/SHAKEN?

If your carrier hasn't implemented STIR/SHAKEN, your calls won't receive any attestation, which is even worse than Gateway Attestation from a trust perspective. Additionally, if your carrier hasn't filed in the FCC's Robocall Mitigation Database, other carriers may block traffic from them entirely. You should verify your carrier's compliance status and consider switching if they're not meeting regulatory requirements.

Related Articles

FCC Traceback Requirements

TCPA Consent Requirements 2025

Robocall Mitigation Database

State-Level Telecom Regulations

Call Authentication Best Practices

← Back to STIR/SHAKEN & TCPA Compliance

Verify Your Call Authentication

Use our traceback search and carrier lookup tools to monitor your STIR/SHAKEN attestation levels.

Get Free API Key View Pricing