STIR/SHAKEN — what it is and what you need to do as a VPS PBX customer

STIR/SHAKEN is the framework US carriers use to cryptographically attest that the caller ID on an outbound call is legitimately owned by the originating party. Calls without proper attestation get flagged as "potential spam" on the receiving phone, and in many cases are blocked outright by recipient carriers. This article covers what STIR/SHAKEN means for your hosted PBX, what's on you vs. on your carrier, and how to make sure your outbound calls don't get marked as suspect.

The short version

STIR/SHAKEN signs every outbound call with one of three attestation levels:

• A (Full): carrier verified both the caller's identity AND the caller's right to use that caller ID. Best — calls go through without spam-flagging.
• B (Partial): carrier verified the caller's identity but not the caller ID ownership. Acceptable — usually delivered with some scrutiny.
• C (Gateway): carrier received the call from another carrier without sufficient attestation. Recipient carriers may flag or block.

The goal: every outbound call from your PBX gets A attestation from your carrier.

What's on your carrier (most of it)

STIR/SHAKEN signing happens at your carrier's edge, not on your PBX. Your carrier:

• Verifies you own the caller ID you're sending (DID ownership check, business verification, "Known Customer" status).
• Cryptographically signs each outbound INVITE with a token derived from a Service Provider Certificate.
• Includes an attestation level (A/B/C) in the SIP Identity header.

If you're using Telnyx, Flowroute, or VoIP.ms, all three handle STIR/SHAKEN signing on outbound. Your job is to make sure they can attest at level A.

What's on you

1. Only send caller IDs your carrier knows you own

If you send caller ID 15551234567 but you don't own that DID with the carrier (and the carrier hasn't otherwise verified it for you), they can't attest A on it. They'll downgrade to B or even C, and your call gets spam-flagged.