Knowledgebase › STIR/SHAKEN — what it is and what you need to do as a VPS PBX customer

STIR/SHAKEN — what it is and what you need to do as a VPS PBX customer

STIR/SHAKEN is the framework US carriers use to cryptographically attest that the caller ID on an outbound call is legitimately owned by the originating party. Calls without proper attestation get flagged as "potential spam" on the receiving phone, and in many cases are blocked outright by recipient carriers. This article covers what STIR/SHAKEN means for your hosted PBX, what's on you vs. on your carrier, and how to make sure your outbound calls don't get marked as suspect.

The short version

STIR/SHAKEN signs every outbound call with one of three attestation levels:

  • A (Full): carrier verified both the caller's identity AND the caller's right to use that caller ID. Best — calls go through without spam-flagging.
  • B (Partial): carrier verified the caller's identity but not the caller ID ownership. Acceptable — usually delivered with some scrutiny.
  • C (Gateway): carrier received the call from another carrier without sufficient attestation. Recipient carriers may flag or block.

The goal: every outbound call from your PBX gets A attestation from your carrier.

What's on your carrier (most of it)

STIR/SHAKEN signing happens at your carrier's edge, not on your PBX. Your carrier:

  • Verifies you own the caller ID you're sending (DID ownership check, business verification, "Known Customer" status).
  • Cryptographically signs each outbound INVITE with a token derived from a Service Provider Certificate.
  • Includes an attestation level (A/B/C) in the SIP Identity header.

If you're using Telnyx, Flowroute, or VoIP.ms, all three handle STIR/SHAKEN signing on outbound. Your job is to make sure they can attest at level A.

What's on you

1. Only send caller IDs your carrier knows you own

If you send caller ID 15551234567 but you don't own that DID with the carrier (and the carrier hasn't otherwise verified it for you), they can't attest A on it. They'll downgrade to B or even C, and your call gets spam-flagged.

Configure your FreePBX/FusionPBX outbound CallerID to a number you actually own with that carrier. Three options:

  • Use a DID you bought from the carrier — the cleanest case. The carrier knows the number is yours.
  • Port your existing main number to the carrier — once it's hosted there, the carrier owns the attestation chain.
  • Use the carrier's "verified caller ID" or BYO-CID process — most carriers offer a way to declare "we should treat this external number as one our customer is authorized to use." Process varies; Telnyx has a "Number Lookup" verification flow; others have similar.

2. Complete your carrier's business verification

Each carrier requires some level of business verification to issue high-attestation calls. Telnyx requires you to complete the Regulatory Profile (FCC info, business address). VoIP.ms and Flowroute have similar verification steps. Without verification, you may be limited to B-level attestation.

3. Don't spoof — at all

If your PBX has logic that sets caller ID dynamically (forwarding a call and passing through the original caller's number, for instance), the carrier sees a caller ID it can't attest. Most carriers either downgrade attestation or refuse the call entirely now.

Specifically:

  • Call forwarding that preserves original CID — set the outbound CID to your DID, not the forwarded caller's CID. You can put the original CID in a SIP header for the recipient to see, but the SIP From should be your DID.
  • Trunk-to-trunk transfers — same problem. Set the CID to your registered DID before bridging.
  • Customer caller ID display from a CRM — if your CRM stuffs a custom caller-name field, that's fine; the number must still be yours.

4. Don't make calls that look like fraud

Carriers have analytics that flag patterns like "1000 outbound calls per hour from a single DID" or "all calls go to area code XYZ and last under 6 seconds." Even with A attestation, those flag.

If you genuinely have high-volume outbound (call center, mass notifications), tell your carrier in advance — they can pre- authorize the pattern and avoid mass-blocking.

Verifying your attestation level

Three quick checks:

  1. Call your own mobile from the PBX. Modern iPhones and Android phones show "Verified" or no spam tag for A-attested calls; "Maybe Spam" or "Suspected Spam" for B/C.
  2. Carrier portal. Telnyx, Flowroute, and VoIP.ms all log per-call attestation in their CDR / analytics views. Check there for what level your recent calls got.
  3. FCC's Robocall Mitigation Database — your carrier has to be registered. If they're not, that's a problem.

What about inbound STIR/SHAKEN?

Inbound attestation is the recipient's concern, not yours. When your PBX receives a call from outside, the carrier passes the attestation level along in a SIP header (typically Identity: or Attestation-Indicator:). You can use Asterisk dialplan logic to handle low-attestation inbound differently (send to voicemail, play a warning, etc.) but most setups just deliver all calls and let users decide.

If you want to filter aggressively:

# FreePBX → Settings → Advanced Settings → search for STIR
# Set "STIR/SHAKEN Verification" to Enabled if your carrier
# supports it on inbound. Then inbound calls with low attestation
# can route differently via Time Conditions or Inbound CID
# filtering.

Stuff people commonly get wrong

  • "My calls are spam-tagged, must be my PBX's fault." Almost never. It's caller-ID or attestation; investigate at the carrier first.
  • "I'll use someone else's DID as caller ID, what's the harm." A lot. Carriers actively reject this now, and it's also illegal under TRACED Act in the US. Don't.
  • "My carrier doesn't care about STIR/SHAKEN." All US carriers are required by FCC to handle it. If yours seems not to, you're either misreading their docs or they're not really US.
  • "I bought a number from a different carrier than my trunk." The carrier signing your outbound has to be the carrier that "owns" the number (or has been delegated authority). Mixing carriers without coordination leads to C-level attestation. Either move the DID, or set up the cross-carrier attestation properly.

If you're stuck with spam-flagged calls

Steps to take, in order:

  1. Confirm what attestation level your outbound calls are getting. If less than A, fix at the carrier (verification, DID ownership).
  2. Confirm your caller ID matches a DID you own with the carrier. Adjust outbound CID config if not.
  3. Submit your number to free reputation-checking services (Hiya, YouMail, Nomorobo) to see how it's currently rated.
  4. If the number has been used for spam in the past (you bought a "burned" number), request the carrier rotate you to a clean one.

This isn't a problem LYLIX can fix from the hosting side — it's entirely between you and your carrier. But we see it often; happy to point you at the right knobs in the carrier portal if you open a ticket with specifics.

FreePBX® and Asterisk® are registered trademarks of Sangoma Technologies Corporation.

Also Read

Migrating from an on-prem PBX (Elastix, AsteriskNow, legacy boxes) to a LYLIX VPS PBX (Views: 3)
"FATAL ERROR: DB connect failed" on FreePBX/FusionPBX — diagnosing MariaDB problems (Views: 9)
Inbound and outbound route patterns in FreePBX — common scenarios (Views: 4)
Call queues that actually work — priority routing, agent skills, fallback destinations (Views: 4)
Connecting FreePBX to VoIP.ms — SIP trunk setup walkthrough (Views: 5)

« « Back

Powered by WHMCompleteSolution