Meet Viirtue at Channel Partners​ 2026 - Las Vegas April 13-16
Request an Invite
Speak to an Expert: 1‑833‑844‑7883
REQUEST DEMO

STIR/SHAKEN Compliance Requirements (2026) for MSPs and Voice Resellers

STIR-SHAKEN-Compliance-Requirements-2026-for-MSPs-and-Voice-Resellers Title Card With Viirtue Branding
STIR/SHAKEN compliance requirements have evolved significantly heading into 2026, and MSPs, VoIP providers, and telecom resellers need to understand exactly where they stand. This guide breaks down FCC obligations by provider role, explains what changed with third-party signing rules effective September 2025, and covers the new annual Robocall Mitigation Database recertification deadline of March 1, 2026. Compliance is not one-size-fits-all — your specific role in the call path, your level of network control, and your certificate ownership all determine what you are actually required to do. Whether you originate calls, sit in the middle of the path, or resell voice services through a white-label platform, getting this wrong carries real operational and financial risk. Use this breakdown to audit your current setup and close any gaps before they become enforcement problems.

TL;DR: STIR/SHAKEN Compliance

  • Voice service providers concerned about STIR/SHAKEN compliance generally must implement STIR/SHAKEN in the IP portions of their networks and authenticate and verify caller ID for SIP calls, subject to extensions.

  • Intermediate providers must implement STIR/SHAKEN in IP networks, pass authenticated identity info unaltered downstream, and authenticate certain unauthenticated SIP calls (with specific gateway and non-gateway deadlines).

  • Non-IP networks have separate “upgrade or actively work on a non-IP authentication solution” requirements.

  • Third-party signing is allowed, but constrained: if you have a STIR/SHAKEN implementation obligation and use a third party to do the technical signing, you still must make attestation decisions, and calls must be signed with your certificate (not the third party’s).

  • 2026 operational change: annual RMD recertification is required by March 1 (first deadline March 1, 2026), with the recertification window opening Feb 1, 2026.

Caller ID “trust” is no longer a nice-to-have for VoIP. If your outbound calls are unsigned, signed incorrectly, or your compliance paperwork is stale, you can run into lower answer rates, spam labeling, and business-level risk in the interconnect chain.

This guide breaks down what STIR/SHAKEN is, what the FCC rules require by provider role, what changed with third-party signing rules (effective Sept 18, 2025), and what’s new for 2026 with annual Robocall Mitigation Database recertification.

Disclaimer: Informational only, not legal advice. STIR/SHAKEN obligations can depend on your exact role, contracts, and network control.

1) What is STIR/SHAKEN Anyway?

STIR/SHAKEN is the industry framework for caller ID authentication on IP (SIP) calls.

  • STIR (IETF) defines the technical mechanisms to cryptographically assert and verify calling identity in SIP, including a signature header approach.

  • PASSporT is a signed token format used to carry identity assertions.

  • SHAKEN is the deployment framework and governance model used by service providers for certificate-based authentication in real telecom networks.

In practical terms, an originating provider signs call identity information, downstream providers can verify it, and analytics tools can use that signal to help reduce spoofing and improve trust.

2) The Roles That Determine Your Obligations (Why MSPs Must Pay Attention)

FCC rules don’t treat everyone in the call path the same. Your compliance requirements depend on your role in the traffic flow:

  • Voice service provider: a provider furnishing voice service to end users using North American Numbering Plan (NANP) resources.

  • Intermediate provider: a provider that carries or processes calls in the middle of the path (not originating or terminating).

  • Gateway provider: an intermediate provider that receives calls from foreign providers at a US gateway and transmits them downstream.

If you’re an MSP or reseller, the key question is: Do you “furnish” voice service and control infrastructure in a way that creates a STIR/SHAKEN implementation obligation, or are you downstream of a provider that performs signing?

The FCC’s 2025 third-party signing rule summary explicitly distinguishes providers with an implementation obligation from those who may be exempt or extended because they lack control over the network infrastructure needed to implement STIR/SHAKEN.

3) What “STIR/SHAKEN Compliance” Actually Means Under FCC Rules

Many people use “we do STIR/SHAKEN” as shorthand. Compliance is more specific than that, and different by role.

Voice service providers: implement STIR/SHAKEN compliance in IP networks and do the work of authentication + verification

Under 47 CFR § 64.6301, not later than June 30, 2021 (subject to extensions), a voice service provider must fully implement STIR/SHAKEN in its IP networks, including:

  • Authenticating and verifying the caller ID for SIP calls that stay on its own network

  • Authenticating caller ID for SIP calls that originate and exchange with other providers (and passing authenticated caller ID info downstream where technically feasible)

  • Verifying the caller ID for authenticated SIP calls that it receives and terminates 

Intermediate providers: pass identity info downstream and authenticate certain unauthenticated traffic

Under 47 CFR § 64.6302, not later than June 30, 2021, intermediate providers must implement STIR/SHAKEN in IP networks and:

  • Pass authenticated caller ID info unaltered to the next provider (with narrow exceptions)

  • Authenticate calls they receive that lack authenticated caller ID info and that they’ll exchange as SIP calls, unless they meet the traceback-participation exception

  • Gateway providers must authenticate certain unauthenticated calls by June 30, 2023

  • Non-gateway intermediate providers receiving calls directly from an originating provider must authenticate certain unauthenticated calls by December 31, 2023 (unless extended)

Non-IP networks: upgrade or actively participate in a non-IP authentication solution

If your network relies on technology that can’t initiate/maintain/terminate SIP calls, you don’t just ignore STIR/SHAKEN. The rule structure forces an “upgrade or prove active work toward a non-IP solution” approach with deadlines by provider type.

4) Extensions You Need to Understand (Because “Deadline” Depends on the Facts)

Extensions exist, but they have conditions. Highlights from 47 CFR § 64.6304:

  • Small voice service providers are exempt from § 64.6301 through June 30, 2023, with specified carve-outs and conditions.

  • Providers that cannot obtain an SPC token due to Governance Authority policy have exemptions until capable of obtaining one.

  • Portions of networks that are non-IP are treated as subject to a continuing extension, but providers then must comply with the “non-IP network” obligations under § 64.6303 for those portions.

Takeaway: You cannot assume you’re exempt forever. Your role and infrastructure control determine whether you have an implementation obligation

5) Attestation Levels (A, B, C) and Why They Matter Operationally

Even when you are “signing,” you still need to sign at the correct attestation level, based on what you actually know and have verified.

One widely cited framing from SHAKEN standards is:

  • Full attestation: You originate the call onto the IP network, you have a direct authenticated relationship with the customer, and you have a verified association with the calling number.

  • Partial attestation: You originate the call, you know the customer, but you have not verified the association with the calling number.

  • Gateway attestation: You have no relationship with the call originator (often relevant for gateways).

Why this matters: Attestation is not “set and forget.” Your onboarding (KYC), number assignment/porting controls, and reseller workflows directly influence whether you can safely issue A-level attestations.

6) The 2025 Change: Third-party Signing is Allowed, but the Certificate and Attestation Cannot Be Outsourced

This is one of the most misunderstood changes, and it is extremely relevant for MSPs using “hosted SHAKEN” or carrier-hosted signing.

The FCC’s 2025 Federal Register summary states that providers with a STIR/SHAKEN compliance implementation obligation may engage third parties to perform the technological act of signing calls, so long as:

  1. The obligated provider makes the attestation-level decisions, and

  2. Calls are signed using the obligated provider’s certificate, not the third party’s.

It also explicitly requires providers with a STIR/SHAKEN implementation obligation to obtain an SPC token from the Policy Administrator and present it to a Certificate Authority to obtain a digital certificate, plus recordkeeping requirements for third-party authentication arrangements.

Practical MSP takeaway: If you are “outsourcing STIR/SHAKEN,” you still need to ask:

  • Who controls attestation decisions?

  • Whose certificate signs the traffic?

  • Do we have the right SPC token and certificate chain for the entity with the obligation?

7) The 2026 Change: Annual RMD Recertification and “Compliance Hygiene” Becomes Mandatory

Even if your signing and verification are working, the FCC has doubled down on the operational side: keeping filings accurate, up-to-date, and recertified.

A Jan 22, 2026, FCC Public Notice states:

There is also mention that a $100 application fee requirement for initial submissions and annual recertifications was noted as not yet effective at the time of that Public Notice.

8) At-a-Glance: FCC STIR/SHAKEN Compliance Obligations by Role

Role

Core obligation

Key deadline(s)

Voice service provider

Implement STIR/SHAKEN in IP networks; authenticate and verify caller ID for SIP calls (subject to extensions)

June 30, 2021, baseline, with extensions in § 64.6304

Intermediate provider

Implement STIR/SHAKEN in IP networks; pass authenticated identity unaltered; authenticate certain unauthenticated SIP calls

June 30, 2021 baseline; gateway auth by June 30, 2023; non-gateway auth by Dec 31, 2023

Non-IP network portions

Upgrade to SIP and fully implement, or prove active participation/testing toward a non-IP authentication solution

June 30, 2021 (voice service providers), June 30, 2023 (gateway), Dec 31, 2023 (non-gateway intermediate)

Providers using third-party signing (and have an implementation obligation)

Third party can do technical signing, but you must control attestation; calls must be signed with your certificate; obtain SPC token; keep records

Effective Sept 18, 2025 

RMD filers

Annual RMD recertification

Recert window opens Feb 1, 2026; deadline March 1, 2026

9) Practical STIR/SHAKEN Compliance Checklist for MSPs and VoIP Providers

Step 1: Classify your role and your level of network control

  • Are you the originating voice service provider?

  • Are you an intermediate provider (including gateway)?

  • Are you a reseller relying on an upstream provider’s switching/signing?

Your classification drives whether you have a STIR/SHAKEN implementation obligation and whether third-party signing rules apply to you as the obligated entity.

Step 2: Build a number and customer verification process that supports correct attestation

If you want higher-trust attestations, your operational processes matter: customer identity verification, number assignment/porting integrity, and reseller oversight. Attestation is defined by what you can confidently verify.

Step 3: Get into the SHAKEN governance and certificate ecosystem

At a minimum, the workflow typically involves:

  • registering in the SHAKEN ecosystem (Policy Administrator, Governance Authority context)

  • obtaining an SPC token

  • using it to request a certificate from an approved Certification Authority

The STI-GA describes its role working with IETF STIR and the ATIS/SIP Forum SHAKEN specification and governance rules for certificate infrastructure.

Step 4: Implement signing and verification correctly (and don’t break the identity header)

Intermediate providers have explicit duties to pass authenticated caller ID info downstream unaltered (with narrow exceptions). If identity is stripped in the middle, downstream verification suffers.

Step 5: If you rely on a third party for signing, verify you meet the 2025 guardrails

If you have the implementation obligation:

  • You must make attestation decisions

  • Calls must be signed with your certificate

  • You must obtain an SPC token and certificate

  • You must maintain records for third-party authentication arrangements

Step 6: Operationalize annual RMD recertification and ongoing updates

Treat this like a compliance SLO:

  • Add recurring reminders for February (recert window) and March 1 (deadline)

  • Assign ownership to a person and a backup

  • Make “10 business day updates” part of your change-control process (company name changes, address, contacts, mitigation vendor changes, etc.)

10) How Viirtue Fits Into a Compliance-first VoIP Stack

From a go-to-market standpoint, many MSPs want to sell voice while minimizing carrier-grade regulatory overhead. Viirtue positions STIR/SHAKEN as part of “trust and compliance built in” across its VoIP offerings, stating that calls are properly signed to help avoid spam labeling and improve answer rates.

If you want a broader compliance view beyond STIR/SHAKEN (RMD, traceback timelines, traffic gating), Viirtue’s robocall mitigation write-up is a useful companion piece to internally link from this post.

STIR/SHAKEN Compliance Requirements Are Only Getting Stricter

Staying compliant in 2026 means more than flipping a switch. It means knowing your role in the call path, owning your certificate chain, keeping your RMD filing current, and building processes that hold up when the FCC comes looking.

For MSPs and resellers, the easiest way to get this right is to partner with infrastructure that has compliance baked in from the start.

If you want to offer white-label VoIP without inheriting a compliance mess, learn more about becoming a Viirtue white-label partner and see how we handle the heavy lifting so you can focus on growing your business.

FAQ: STIR/SHAKEN Compliance Requirements

Do MSPs need to implement STIR/SHAKEN?

Sometimes yes, sometimes no. The FCC rules apply based on your role and whether you control the network infrastructure necessary to implement STIR/SHAKEN. Many reseller/white-label models still qualify as “voice service providers” for other obligations, so you should map your traffic and contracts carefully. (Federal Register)

Not necessarily. If you are the entity with a STIR/SHAKEN implementation obligation and you use a third party for technical signing, you still must control attestation decisions, and calls must be signed with your certificate. (Federal Register)

An SPC token (Service Provider Code token) is a credential used in the SHAKEN ecosystem to obtain certificates. The FCC’s third-party signing rules explicitly require providers with an implementation obligation to obtain an SPC token from the Policy Administrator and use it to obtain a certificate from an approved Certificate Authority. (Federal Register)

The FCC Public Notice released Jan 22, 2026, reminds filers that annual recertification is required by March 1, 2026, with the recert window opening Feb 1, 2026. (FCC Docs)

Picture of Dan Rosenrauch

Dan Rosenrauch

Dan Rosenrauch is the Co-Founder and CEO of Viirtue, a wholesale voice and UCaaS platform built for MSPs and telecom resellers in the Greater Tampa Bay area. With over 15 years of experience in telecom and SaaS, Dan has spent his career building platforms that help channel partners grow their businesses more efficiently. Before co-founding Viirtue, Dan founded Syntel Solutions, a UCaaS/CCaaS-focused CSP that grew to serve more than 350 customers monthly before merging with Element VoIP to become what Viirtue is today. He has guided the company from its technical roots, starting as CTO before stepping into the CEO role to lead Viirtue's overall strategy and growth.
Deploy a Fully-Featured Class 5 Softswitch under your own branding

Start Selling VoIP Today

viirtue logo for white label voip partners

AI Solutions

AI Voice Agents

Automate calls with smart, human-sounding voice agents built for scale.

AI Insights

Uncover real-time customer insights with AI-powered emotion and intent detection.

VoIP & Fax

ViiBE - Viirtue Billing Engine

Viirtue’s free, full-service tool for MSPs.
Free for all Viirtue partners, ViiBE makes quoting and billing seamless, so you can grow your business efficiently while serving your clients better.

Simplify Your Billing
Explore ViiBE Tools
FREE eBOOK

The 7 Silent
Profit Killers.

In just 25 minutes, you will spot the leaks, estimate the damage, fix the workflow, and get AI-ready, with downloadable checklists to lock it all in.

Download the FREE ebook and fix what’s costing you time and money before it costs you another week.