How to Become STIR/SHAKEN Compliant: A Step-by-Step Guide for 2025

Anne Kwong -
0



In today’s telecom landscape, carriers, VoIP providers, and MVNOs face relentless pressure to combat illegal robocalls, spoofed numbers, and fraud. Regulators in the United States and Canada have made it clear: any provider delivering traffic to the PSTN must implement STIR/SHAKEN or face blocking, fines, and disconnections from upstream partners.

Whether you’re a new VoIP provider, a growing MVNO, a cloud PBX platform, or a carrier expanding internationally, understanding the steps to become compliant is essential. The process is not as difficult as it once was; modern Certificate Authorities (CAs) and switching platforms have made STIR/SHAKEN accessible and cost-effective.

This guide walks you step-by-step through everything you need to become fully STIR/SHAKEN compliant in 2025.

Step 1: Understand What STIR/SHAKEN Actually Is

Before you begin, it’s important to understand the fundamentals.

  • STIR (Secure Telephone Identity Revisited) defines the protocol for signing caller ID information.

  • SHAKEN (Signature-based Handling of Asserted Information Using toKENs) defines how those signatures are validated and transmitted across providers.

In simple terms:

STIR/SHAKEN ensures that when you place a call, the recipient can verify that the caller ID has not been spoofed and that the originating provider vouches for the call’s legitimacy.

For this, providers must:

  1. Sign outbound calls with a digital certificate.

  2. Verify inbound calls with the same framework.

  3. Maintain trust with the national policy administrator.

Step 2: Determine Whether You Are Required to Implement STIR/SHAKEN

You must implement STIR/SHAKEN if:

  • You are a voice service provider in the U.S. or Canada.

  • You originate or terminate calls on the PSTN.

  • You have direct or indirect access to numbering resources.

  • You operate VoIP traffic through SIP trunks.

  • You provide phone numbers to customers.

  • You hand off calls to Tier 1, 2, or 3 carriers.

You may be exempt if:

  • You only provide wholesale transport and never originate calls.

  • You are not offering consumer-facing voice services.

  • You do not access telephone numbers (rare today).

Most providers fall under the required category.

Step 3: Obtain an OCN (Operating Company Number) or Eligible Entity Status

In the United States, the STIR/SHAKEN ecosystem requires you to prove that your company is a legitimate voice provider. This verification is done through the Policy Administrator (STI-PA).

To do this, you must have at least one:

  • OCN (Operating Company Number)

  • RespOrg number

  • State registration as a telecommunications provider

  • FCC 499-A registration

Most VoIP companies use the FCC 499-A combined with a state registration.

If you don’t yet have your OCN or regulatory filings, complete them first—they are mandatory before you can sign outbound calls.

Step 4: Register With the STI-PA (Policy Administrator)

The STI-PA manages the trust ecosystem that ensures only legitimate carriers can sign calls.

Steps include:

  1. Create an account with the STI-PA.

  2. Submit your regulatory documents (e.g., 499-A, state license, OCN).

  3. Complete identity verification.

  4. Wait for certification approval.

Once approved, you can obtain your token which proves your authority to request and use STIR/SHAKEN certificates.

Step 5: Select a Certificate Authority (STI-CA)

An STI-CA issues your official STIR/SHAKEN certificates. These certificates are used to sign outbound calls.

When choosing a CA, consider:

  • Cost

  • Speed of issuance

  • API availability

  • Ease of integration

  • Support for A, B, and C attestation

  • Whether the CA is recognized by the STI-PA

Examples of STIR/SHAKEN CAs include Peeringhub.io and others.

After choosing your CA, you will:

  1. Provide your STI-PA token.

  2. Request issuance of one or more certificates.

  3. Download the certificate and private key for signing.

Step 6: Implement STIR/SHAKEN in Your Softswitch or SIP Infrastructure

This is where many providers struggle—but today the process is much simpler.

You need a system (softswitch, SBC, or cloud platform) capable of:

  1. Signing outbound calls
    Using your certificate, the system creates a PASSporT token and attaches it to the SIP INVITE as an Identity Header.

  2. Verifying inbound calls
    The system checks the signature using the certificate from the originating provider.

  3. Assigning attestation levels (A, B, C)

    • A – You know the customer and control the number.

    • B – You know the customer but not the number.

    • C – Gateway traffic, unverifiable source.

Modern platforms like Denovolab, Opentact, FreeSWITCH with modules, or commercial SBCs make signing automated once configured.

If your platform does not support STIR/SHAKEN natively, you can use:

  • An external signing service

  • A cloud-based STIR/SHAKEN proxy

  • A hosted solution from your CA

This eliminates the need to modify your core switch.

Step 7: Configure Attestation Logic

You must assign proper attestation values based on regulations.

Typical rules:

  • A = Retail customer using your numbers

  • B = Customer calling with their own number not validated

  • C = International or gateway traffic

Be consistent—false A signatures can lead to penalties or call blocking.

Step 8: Test With Your Upstream Partners

Before going live, run test calls with:

  • Tier 1 carriers

  • Termination partners

  • Peering networks

Verify that:

  • Outbound calls show “Signed” in call traces

  • Inbound calls show correct verification results

  • Attestation is correct

  • Certificates are properly validated

At this stage, you should also test:

  • Failover behavior

  • Certificate expiration handling

  • Token refreshing automation

Step 9: Publish Your STIR/SHAKEN Policies and Maintain Compliance

STI-PA and CAs require continuous compliance:

  • Renew certificates annually

  • Update regulatory filings

  • Respond to traceback requests

  • Maintain call authentication logs

  • Keep SIP Identity Headers intact when forwarding calls

Many upstream carriers will audit your traffic to ensure you’re not abusing A-level attestation.

Step 10: Monitor and Improve Your Caller Reputation

Even with STIR/SHAKEN, your calls can still be flagged as spam if:

  • Customers make high-volume calls

  • Traffic resembles robocalling patterns

  • Numbers appear in complaint databases

To maintain good standing:

  • Monitor analytics (via YouMail, NoMoRobo, First Orion, etc.)

  • Rotate numbers responsibly

  • Investigate customer complaints

  • Use spam-rating APIs

  • Follow FCC robocall rules strictly

Good reputation ensures your calls reach the consumer cleanly, with no “Spam Likely” warnings.

Conclusion

Becoming STIR/SHAKEN compliant is no longer the complex multi-month process it used to be. With the right Certificate Authority, a compatible softswitch or cloud signing service, and proper regulatory documentation, most providers can complete the entire process in days—not months.

The key steps are:

  1. Understand requirements

  2. Verify eligibility

  3. Register with STI-PA

  4. Obtain a certificate from an approved CA

  5. Enable signing and verification in your platform

  6. Test thoroughly

  7. Maintain ongoing compliance

By following this step-by-step guide, your company will not only meet regulatory expectations but also improve call trust, reduce blocking, and elevate the quality of your voice services.

If you'd like, I can also write:
✅ A shorter 300-word version
✅ A version targeted to MVNOs
✅ A version promoting Peeringhub.io as the CA

Post a Comment

Previous Post Next Post