ABOUT TO CHANGE FOREVER.
STIR/SHAKEN Implementation Guide for Carriers and Enterprises
STIR/SHAKEN is no longer optional. The FCC mandate is in place, carriers are enforcing compliance, and enterprises need to understand what this means for their voice infrastructure.
If you've been postponing STIR/SHAKEN implementation, waiting for more guidance, or unsure how it fits into your network architecture, this guide is for you. We'll walk through what STIR/SHAKEN actually does, how it works, the FCC compliance timeline, step-by-step implementation, common deployment challenges, and how to execute at scale.
What Is STIR/SHAKEN? (And Why It Matters)
Let's start with the acronyms:
STIR = Secure Telephone Identity Revisited SHAKEN = Signature-based Handling of Asserted information using toKENs
Together, they form a framework that cryptographically authenticates the Caller ID on voice calls. Here's the simple version: STIR/SHAKEN lets the terminating carrier (the one receiving your call) verify that the calling number actually belongs to you, and that you're authorized to use it.
This solves a fundamental problem in the Public Switched Telephone Network (PSTN): caller ID spoofing. For decades, anyone with basic VoIP access could claim to be calling from any number. Scammers exploited this relentlessly. Robocall campaigns, phishing calls, and fraud all depended on spoofing.
STIR/SHAKEN closes this loophole by replacing trust with cryptography. Instead of trusting that a Caller ID number is legitimate, the system verifies it using digital certificates and cryptographic signatures.
How STIR/SHAKEN Works (The Technical Foundation)
STIR/SHAKEN operates in three layers:
Layer 1: Certificate Authority and Trust Chain A Certificate Authority (CA) issues digital certificates to carriers and voice service providers. These certificates prove that an organization is authorized to originate calls from specific number blocks. The CA maintains the Public Key Infrastructure (PKI) that all participants trust.
Layer 2: STIR Token Generation and Signing When you originate a call, your carrier (the originating service provider) creates a STIR token—a digitally signed JSON object that contains:
- The originating number
- The terminating number
- The origination timestamp
- The identity of the carrier asserting the information
- An attestation level
- A digital signature using your private key
The originating carrier attaches this token to the SIP INVITE message that initiates the call.
Layer 3: Token Verification at Termination The terminating carrier (the one receiving the call) receives the SIP message with the STIR token. It:
- Extracts the token
- Retrieves the originating carrier's public certificate
- Verifies the digital signature using the public key
- Confirms that the originating number matches the asserted number
- Assigns an attestation level based on the verification result
The attestation level falls into three categories:
- Full Attestation (A): The originating carrier verified the caller's identity and authorized the call. This is the highest trust level.
- Partial Attestation (B): The originating carrier verified the call is coming from its network but couldn't verify the caller's identity (common with calls from other carriers or customer networks).
- Gateway Attestation (C): The call originated outside the STIR/SHAKEN-compliant network (e.g., from a legacy PSTN gateway or international trunk). The gateway provider asserts the call entered the network at a specific point.
Terminating carriers then decide what to do with this information. A call with Full Attestation might be treated as trusted. A call with Gateway Attestation might be subjected to additional verification or flagged as potentially risky.
FCC Mandate Timeline and Compliance Requirements
The FCC's STIR/SHAKEN requirements rolled out in phases. Here's the current status:
June 30, 2021: Large carriers (over 10 million subscribers) were required to implement STIR/SHAKEN.
June 30, 2022: Carriers with 100,000–10 million subscribers were required to implement.
June 30, 2023: All other carriers and voice service providers were required to implement.
Current (2024+): STIR/SHAKEN is mandatory. The FCC continues to enforce compliance and issue guidance on implementation requirements.
What This Means for You:
- If you're a carrier or telecom provider, STIR/SHAKEN implementation is no longer optional.
- If you're an enterprise with a SIP trunk, your carrier likely requires STIR/SHAKEN support on your calls.
- If you're an MSP or voice service provider, you must support STIR/SHAKEN for your customers.
The FCC also requires that carriers block calls with invalid attestation levels under certain conditions. The specifics continue to evolve, but the trend is clear: unverified calls face increasing scrutiny and may be blocked or flagged.
Step-by-Step Implementation Guide
Phase 1: Assessment and Planning
Before touching infrastructure, map your current state:
- Audit Your Call Flow
- Identify all originating call routes (which systems generate outbound calls?)
- Identify all terminating call routes (where do inbound calls arrive?)
- Document every gateway, SIP trunk, and voice service provider in your network
- List all number blocks you originate calls from
- Identify Compliance Gaps
- Does your current system support STIR/SHAKEN token generation?
- Can your SIP infrastructure carry STIR tokens in the SIP INVITE?
- Do your gateways support SHAKEN validation?
- Are there legacy components that cannot be upgraded?
- Plan Your Certificate Strategy
- Determine which Certificate Authority (CA) you'll work with (common CAs include Comtech, TeleCommunications Clearinghouse, and others approved by the FCC)
- Decide which number blocks will be covered by certificates
- Plan for certificate renewal cycles (typically annual)
- Consider how you'll manage certificates if you have multiple number blocks or customer allocations
- Define Attestation Policies
- Decide what attestation level you'll assert for each call type (Full, Partial, or Gateway)
- Document criteria for each level
- Plan how you'll validate caller identity before asserting Full Attestation
Phase 2: Infrastructure Upgrades
This is where implementation gets into the details:
- Upgrade SIP Infrastructure
- Your SIP platform must support STIR/SHAKEN token generation and insertion into SIP INVITE messages
- Many modern SBCs (Session Border Controllers) and SIP PBXs support STIR/SHAKEN natively; older systems may not
- Test token generation with a lab environment before deploying to production
- Implement Validation on Termination
- Deploy SHAKEN validation on incoming calls
- Configure your system to extract and verify STIR tokens
- Set policy based on attestation level (e.g., calls with Full Attestation are trusted; Gateway Attestation calls trigger additional checks)
- Handle Non-STIR/SHAKEN Traffic
- Some calls will arrive without STIR/SHAKEN tokens (calls from legacy carriers, international trunks, older gateways)
- Define how your system handles these calls
- The FCC's guidance suggests that non-compliant calls should be flagged or blocked, but enforcement varies by carrier
- Configure Certificate Management
- Set up processes to install and renew digital certificates
- Ensure certificates cover all originating number blocks
- Plan for certificate rotation without service interruption
Phase 3: Testing and Validation
Before going live, test thoroughly:
- Token Generation Testing
- Originate test calls and verify tokens are generated and included in SIP messages
- Confirm token content (originating number, terminating number, timestamp)
- Verify digital signatures are valid
- Token Validation Testing
- Terminate test calls with STIR tokens and confirm validation succeeds
- Terminate test calls without STIR tokens and confirm the system handles them gracefully
- Test with invalid tokens to ensure the system rejects them appropriately
- End-to-End Call Testing
- Place calls from your originating system through your terminating system
- Verify attestation levels are assigned correctly
- Confirm call quality and signaling are unaffected by STIR/SHAKEN processing
- Regression Testing
- Confirm all existing call functionality still works
- Verify billing, call recording, and other services aren't disrupted
Phase 4: Production Deployment and Monitoring
- Phased Rollout
- Deploy to a subset of traffic first (e.g., a single trunk or geographic region)
- Monitor call success rates, token generation, and validation errors
- Expand gradually to full production
- Continuous Monitoring
- Track token generation success rates
- Monitor validation errors and rejection rates
- Alert on certificate expiration or renewal issues
- Log all STIR/SHAKEN attestation levels for compliance audits
- Stakeholder Communication
- Notify downstream carriers and customers about STIR/SHAKEN deployment
- Publish information about your attestation policies
- Provide guidance for customers about what to expect
Common Implementation Challenges (And How to Solve Them)
Challenge 1: Mixed Network Environments Many enterprises and carriers operate hybrid networks with modern SIP systems alongside legacy TDM (time-division multiplexing) gateways. Legacy systems cannot generate STIR tokens natively.
Solution: Deploy a STIR-capable SBC at the boundary between your legacy and modern networks. The SBC intercepts calls from legacy systems, generates STIR tokens for them, and forwards them into the STIR-compliant network.
Challenge 2: Certificate Management at Scale If you operate multiple number blocks, gateways, or customer allocations, certificate management becomes complex. Certificates expire, need renewal, and must cover the right number ranges.
Solution: Implement centralized certificate management. Use automation to track expiration dates, trigger renewals, and push new certificates to all systems. Consider a PKI platform designed for telecom environments.
Challenge 3: International Calls and Gateway Attestation International calls often traverse multiple carriers and legacy gateways before reaching their destination. These calls typically use Gateway Attestation because the originating information was established at an international gateway, not with the end user.
Solution: Classify calls appropriately. Distinguish between calls originating in your network (Full or Partial Attestation) and calls from international partners (Gateway Attestation). Document your policy and communicate it to terminating carriers.
Challenge 4: Compatibility with Legacy Carriers Some carriers, especially smaller regional carriers or international partners, may not fully support STIR/SHAKEN yet. Your calls to them might be rejected if they don't understand STIR tokens.
Solution: Implement fallback mechanisms. If a call fails with STIR/SHAKEN, retry without the token. Maintain a registry of carriers and their STIR/SHAKEN support status. Work with your carrier partner to drive adoption.
Challenge 5: Caller ID Display and Consumer Trust STIR/SHAKEN authenticates the originating number, but it doesn't automatically change how the number is displayed on consumer phones. Some terminating carriers display special indicators (like a "verified" badge) for STIR/SHAKEN-authenticated calls, but this isn't universal yet.
Solution: Focus on the regulatory requirement, not the consumer display benefit (yet). As adoption increases and devices evolve, consumer-facing display of STIR/SHAKEN verification will become more common.
Peeredge Native STIR/SHAKEN Support
46 Labs' Peeredge platform handles STIR/SHAKEN as a native feature of the carrier-grade orchestration layer. Here's what that means:
Token Generation and Signing: Peeredge generates STIR tokens for all originating calls, applies your digital certificates, and includes tokens in SIP signaling automatically. No additional systems or complexity required.
Flexible Attestation: Configure attestation policies per call type, per trunk, or per customer. Peeredge will assert Full, Partial, or Gateway attestation based on your policy.
Validation and Enforcement: On inbound calls, Peeredge validates STIR tokens, checks certificates, and verifies signatures. Calls without valid tokens are flagged and handled according to your policy.
Certificate Lifecycle Management: Peeredge manages certificate installation, renewal, and rotation. Certificate expiration alerts trigger automatically, ensuring you never miss a renewal deadline.
Compliance Logging: All STIR/SHAKEN operations are logged for audit purposes. Generate compliance reports with a single query.
STIR/SHAKEN: The New Normal
STIR/SHAKEN implementation is no longer a differentiator—it's table stakes. Carriers without it are facing FCC enforcement. Enterprises without it are vulnerable to fraud and spoofing. Voice service providers without it are losing customers.
But implementation doesn't have to be complex. With the right platform, clear planning, and a phased approach, STIR/SHAKEN can be deployed in weeks, not months.
The question isn't whether to implement STIR/SHAKEN. The question is how quickly you can move to it without disrupting your existing voice services.
Next Steps
If you're an enterprise implementing STIR/SHAKEN for the first time, start with Phase 1: understand your current call flow, identify gaps, and plan your certificate strategy. Talk to your carrier about their STIR/SHAKEN support and timeline.
If you're a carrier or voice service provider, prioritize Phase 2 and 3: upgrade your infrastructure, test thoroughly, and plan your rollout carefully.
And if you're struggling with STIR/SHAKEN at scale—managing multiple number blocks, diverse network architectures, or high call volumes—let's talk. 46 Labs' Peeredge platform is built for this. Schedule a consultation to see how we've helped carriers and enterprises deploy STIR/SHAKEN efficiently.
%201.png)