STIR/SHAKEN Compliance Guide: Stop Spam Flags Now 

Robocalls are a daily nuisance for millions, with Americans receiving an average of 2.5 billion robocalls each month. The problem is made worse by caller ID spoofing, where scammers disguise their numbers to appear trustworthy, making it hard to know which calls are real and which are fraudulent. Criminals use these tactics to run scams and steal information, which is why a clear STIR/SHAKEN compliance guide is essential for legitimate callers who want their calls to be trusted.

The combination of robocalls and caller ID spoofing makes it challenging for individuals to identify and avoid unwanted or fraudulent calls. This allows criminals to carry out illegal activities such as scams.

To combat this problem, The Federal Communications Commission (FCC) has been promoting measures for STIR SHAKEN compliance to stop robocalls and caller ID spoofing since 2014. In response, the telecommunications industry has developed the STIR/SHAKEN framework and technical standards to address this issue.

What does STIR/SHAKEN mean?

STIR (Secure Telephony Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) are two standards that work together to fight robocalls and caller ID spoofing. If you’re looking for a stir/shaken compliance guide, understanding these two components is the first step.

Secure Telephony Identity Revisited (STIR)

STIR is an authentication protocol. It creates a digital certificate that verifies the caller’s identity. This certificate, or token, is attached to the call. It confirms that the phone number shown on the caller ID is actually linked to the caller. This helps establish a secure caller identity.

Signature-based Handling of Asserted information using toKENs (SHAKEN)

SHAKEN is how STIR gets implemented in real-world phone networks.

It sets the technical standards for:

✅ Creating the digital certificate

✅ Attaching the token to the call, and 

✅ Checking the token’s validity. 

Together, STIR and SHAKEN ensure that caller ID information is authentic. This reduces fraudulent robocalls and gives consumers more security. In short, the stir/shaken framework is the backbone of modern call authentication.

What are the benefits of the STIR/SHAKEN framework?

Implementing STIR/SHAKEN compliance brings several advantages:

• Cost savings: Calls are less likely to be marked as spam, so you save money on wasted calls.
• Regulatory compliance: STIR/SHAKEN helps you meet FCC and other regulatory requirements, avoiding fines or penalties.
• Reputation protection: Authenticated calls are less likely to be blocked or flagged as spam, protecting your organization’s reputation.
• Higher answer rates: A “Verified” caller ID increases the chances that people will answer your calls.
• Increased trust: Your contacts know your calls are legitimate, building trust.

If you’re searching for a stir/shaken compliance guide, these benefits show why it’s worth the effort to implement.

Read Also: STIR SHAKEN Protocol: You Must Know This Before Making Calls 

How does STIR/SHAKEN compliance work?

STIR/SHAKEN verifies the authenticity of a caller’s phone number using digital certificates and encryption. Here’s how the process works:

1. The caller places a call.
2. Caller’s carrier generates a digital certificate: This certificate verifies the caller’s identity and includes the phone number, name, and a digital signature.
3. Caller’s carrier attaches the certificate to the call: The certificate is sent as a token along with the call.
4. Recipient’s carrier retrieves the token: When the call reaches the recipient’s carrier, it pulls the token from the call.
5. Recipient’s carrier validates the certificate: The carrier checks the token against its database of legitimate certificates.
6. Caller ID displayed or call blocked: If the certificate is valid, the call goes through and the caller ID is shown. If not, the call may be blocked or marked as spam.

This process happens in seconds, with no noticeable delay for the caller or recipient. The technical details may vary by phone company, but the goal is always to verify and validate the caller’s identity.

Attestation levels: STIR/SHAKEN compliance guide

In the STIR/SHAKEN framework, attestation levels show how much the carrier trusts the caller ID information.

There are three main levels:

• [A] Full attestation: The carrier knows the caller and confirms they are authorized to use the phone number.
• [B] Partial attestation: The carrier knows the caller but isn’t sure if they’re authorized to use the number.
• [C] Gateway attestation: The carrier can’t confirm the caller’s identity or authorization, often used for international calls.

These attestation levels are part of the stir/shaken process, but they don’t guarantee a call is trustworthy. Carriers and analytics engines still analyze calls for signs of fraud or spam.

What will happen if you don’t do anything about STIR/SHAKEN compliance?

If you don’t authenticate your caller ID, your calls are more likely to be blocked or marked as spam. This leads to lower answer rates and more complaints from your contacts. Your organization’s reputation can suffer, and you may face regulatory penalties.

For organizations unsure about compliance steps, a stir/shaken compliance guide is a valuable resource.

How to implement STIR/SHAKEN

Organizations can seek assistance from their calling software provider to guide them through the process and ensure that it is done correctly.

STIR/SHAKEN compliance guide legislation

STIR/SHAKEN is a set of technical standards that have been adopted by the Federal Communications Commission (FCC) in the United States and by the Canadian Radio-television and Telecommunications Commission (CRTC) in Canada.

If you use robocalls, you may be subject to a number of legal requirements and governmental regulations related to the use of STIR/SHAKEN. 

Here are some examples:

1. FCC’s TRACED Act: In the United States, the Federal Communications Commission (FCC) has issued a mandate that all telecom/voice service providers must implement the STIR/SHAKEN framework, as part of the TRACED Act. 
2. TCPA (Telephone Consumer Protection Act): In the United States, the TCPA is a federal law that regulates telemarketing calls, including robocalls. Organizations that use robocalls must comply with the TCPA’s requirements. This includes obtaining prior express written consent from consumers before making robocalls, and providing a way for consumers to opt-out of receiving robocalls.
3. CRTC’s regulations: The Canadian Radio-television and Telecommunications Commission (CRTC) has recommended service providers to implement STIR/SHAKEN, but it is not mandating the implementation. 
4. Other regulations: In addition to the regulations of the FCC and CRTC, there may be other regulations or laws in different countries that organizations must comply with when using robocalls.

STIR/SHAKEN updates for 2025–2026

What’s new in the US:

• According to FCC, originating providers must now use their own STIR/SHAKEN certificates and make independent attestation decisions, even if a third party signs calls on their behalf.
• If a provider does not meet these requirements, the FCC can remove them from the Robocall Mitigation Database, which often leads to their traffic being blocked by other carriers.
• Starting September 18, 2025, providers with a STIR/SHAKEN obligation must authenticate calls with a certificate tied to their own SPC token, not a third party’s.

What’s new in Canada:

• The CRTC has eliminated semi‑annual STIR/SHAKEN status reports for most providers and replaced them with targeted information requests plus simplified annual reports for those still implementing.
• The core requirement to implement STIR/SHAKEN for IP‑based calls remains in place.

What this means for you:

If you operate as a voice service provider, you must confirm with your carrier or legal counsel that your STIR/SHAKEN setup (certificates, attestation process, and Robocall Mitigation Database filings) matches the latest FCC rules.

If you are a brand or campaign using a platform like CallHub, work closely with your provider to ensure your numbers are fully registered and your traffic is being signed with the correct attestation level.

STIR/SHAKEN compliance guide and CallHub

The process includes providing a few details about your organization for STIR/SHAKEN compliance to the carrier. Once submitted, the carrier will verify it and assign an attestation level to your account.

FAQs on stir/shaken compliance guide

Tenzin Tsetan

A Tibetan content strategist specializing in helping organizations amplify their digital presence. Through in-house content creation, bridging traditional wisdom with modern storytelling to engage diverse global communities, with a focus on political organizations, nonprofits, and advocacy groups.