If you originate or carry voice calls in the United States, STIR/SHAKEN is not optional. The FCC requires virtually all voice service providers, intermediate providers, and gateway providers to implement the framework. Understanding what the three attestation levels actually mean — and which one applies to your traffic — is essential to staying compliant and avoiding call labelling or blocking by downstream carriers.
What STIR/SHAKEN actually does
STIR/SHAKEN is a framework of technical standards that allows voice service providers to digitally sign the caller ID information on a call. The signing is embedded in the SIP INVITE message that initiates the call, using an Identity header containing an encrypted token. When the call reaches a terminating provider, that provider can decrypt the token, verify the caller ID information, and use that information to decide how to treat the call.
The framework relies on a certificate governance system maintained by a neutral authority. Each participating provider holds a certificate that establishes their identity within the system. The FCC requires all providers with a STIR/SHAKEN obligation to file certifications in the Robocall Mitigation Database confirming their compliance status.
The three attestation levels
The STIR/SHAKEN standards define three levels of attestation, reflecting what the signing provider actually knows about the call it is authenticating.
A-level: Full attestation
A-level attestation is the highest level. It asserts that the signing provider can confirm both the identity of the subscriber making the call and that the subscriber has the right to use the telephone number appearing in the caller ID. In practical terms, this means the provider has a direct customer relationship, knows who the customer is, and has verified that the number belongs to that customer.
Calls with A-level attestation carry the strongest signal of legitimacy. Terminating providers and analytics tools treat A-level calls as the most trustworthy, and some carriers display a verification indicator to the called party when a call carries full attestation.
B-level: Partial attestation
B-level attestation asserts that the signing provider can confirm the identity of the subscriber but cannot verify that the subscriber is authorised to use the specific telephone number in the caller ID. This typically arises in situations where a business customer is using a number that the carrier has not directly provisioned — for example, a number ported from another provider or a number managed through an intermediary.
B-level calls are not inherently suspicious, but they do not carry the same assurance as A-level calls. Downstream providers may apply additional scrutiny.
C-level: Gateway attestation
C-level attestation is the lowest level. It asserts only that the signing provider is the entry point of the call into the IP network and has no relationship with the party that initiated the call. This level is typically applied by gateway providers processing calls that arrive from foreign networks or from providers with whom no direct relationship exists.
C-level calls are not necessarily fraudulent — international traffic frequently carries C-level attestation by design — but they lack the assurance of higher levels and may be subject to blocking or labelling by some carriers.
Who must comply
The FCC has progressively expanded the STIR/SHAKEN obligation since its initial introduction in 2021. Voice service providers, gateway providers, and intermediate providers are all now required to implement the framework for calls carried over IP networks. Non-IP networks are subject to separate obligations, including requirements to either upgrade to IP or implement alternative caller ID authentication solutions.
All providers in scope must file both their STIR/SHAKEN implementation certification and their robocall mitigation plan in the Robocall Mitigation Database. Providers that fail to comply risk having their traffic blocked by downstream carriers that check the database before accepting calls.
Third-party signing arrangements
Some providers use third-party technology vendors to handle the technical process of signing calls. The FCC's rules permit this, but with important constraints. The provider with the STIR/SHAKEN obligation must still make all attestation level decisions itself — it cannot delegate that judgement to the third party. And all calls must be signed using the provider's own certificate, not the certificate of the third-party vendor. Arrangements that violate these requirements do not satisfy the compliance obligation.
What this means for wholesale operators
For wholesale voice providers, the attestation level question is particularly important. When you carry traffic on behalf of resellers or channel partners, the attestation level you can legitimately assign depends on what you actually know about the originating party and their right to use the calling number. Assigning A-level attestation to traffic where you have no direct customer relationship is not compliant and creates enforcement exposure.
Providers operating under Infinititel's FCC registration benefit from our Robocall Mitigation Database listing. For partners who hold their own STIR/SHAKEN certificates, delegated signing arrangements are available — contact us to discuss your specific configuration.
This article is for informational purposes and does not constitute legal or regulatory advice. Requirements change over time. Consult a qualified telecommunications lawyer for advice specific to your situation.