TL;DR
Every provider in the US call chain must have an active Robocall Mitigation Database (RMD) filing and plan. This is true even if STIR/SHAKEN is fully implemented. Providers must also block traffic from entities that are not listed in the RMD. (FCC Docs)
New “third‑party authentication” rules take effect on September 18, 2025. If you are a provider that is obligated to implement STIR/SHAKEN and you use a third party to sign calls, you must obtain your own SPC token and certificate and ensure calls are signed with your certificate. (Federal Register)
Viirtue PSTN resellers have an easier path: Viirtue signs calls on our network. You still file in the RMD, but you may file as a provider without a STIR/SHAKEN implementation obligation and document your mitigation steps, including KYC and 24‑hour traceback response. (eCFR)
STIR/SHAKEN and the Robocall Mitigation Database
The FCC’s fight against illegal robocalls keeps raising the bar, and 2025 brings two major obligations every MSP and VoIP provider must understand: ongoing Robocall Mitigation Database (RMD) filings and new guardrails on third-party STIR/SHAKEN authentication.
Even if your calls are already signed, you still need an active RMD filing, a documented mitigation plan, and a process to block traffic from non-listed providers.
And starting September 18, 2025, providers with a STIR/SHAKEN obligation must use their own SPC token and certificate—no more outsourcing attestation decisions.
This blog unpacks what these rules mean for your business, who must file, and how Viirtue helps MSPs and resellers stay compliant without a heavy infrastructure lift.
Why this matters now
The FCC expanded RMD content and filing duties for all providers in the call path and set a February 26, 2024 deadline to update filings. Providers must refuse traffic from entities not in the RMD. Enforcement is active, with removals that require downstream providers to block those entities’ traffic. (FCC Docs)
In parallel, the FCC’s Eighth Report and Order established guardrails for using third parties to perform caller ID authentication. Starting September 18, 2025, providers that are obligated to implement STIR/SHAKEN must use their own certificate and make their own attestation decisions, even if a partner hosts the signing workflow. (Federal Register)
Quick refresher: STIR/SHAKEN and the RMD
STIR/SHAKEN authenticates caller ID for SIP calls using signed PASSporTs and A, B, or C attestation to combat spoofing. The Commission requires implementation on IP networks and has layered on complementary obligations for intermediate and gateway providers. (Federal Communications Commission)
Robocall Mitigation Database (RMD) is the FCC’s registry where providers certify their STIR/SHAKEN status and upload a robocall mitigation plan. As of 2024, all providers in the call chain must file and maintain an RMD certification and plan, regardless of STIR/SHAKEN status. (Federal Communications Commission)
Who must file in the RMD in 2025
Voice service providers that furnish voice communications to end users using NANP resources. This includes many white‑label or wholesale scenarios. (eCFR)
Intermediate providers and gateway providers that carry or process traffic that will traverse the PSTN. (eCFR)
All such providers must keep their filing current and update it within 10 business days if information changes. Downstream providers must block traffic from providers not listed in the RMD. (eCFR)
What your RMD filing must include
Your certification must state whether you have fully, partially, or not implemented STIR/SHAKEN and include detailed mitigation steps. At a minimum, plans must describe:
Specific, reasonable steps to avoid originating illegal robocalls
Your “know your customer” and “know your upstream provider” procedures
Analytics you use and any third‑party vendors
A commitment to respond to traceback requests within 24 hours
These elements are now mandatory disclosures. (eCFR)
The 2025 change: third‑party authentication guardrails
If you are a provider with a STIR/SHAKEN obligation and you rely on a partner to execute the technical signing, the 2025 rules require:
You determine attestation levels
Calls are signed with your own certificate from an approved CA
You hold an SPC token via the STI‑PA
Compliance deadline: September 18, 2025. (Federal Register)
How Viirtue makes this easier
Scenario A: You resell PSTN using Viirtue and do not claim a STIR/SHAKEN obligation
In this common MSP model, Viirtue authenticates outbound SIP calls on our network with our certificates and attestation policies.
You still file in the RMD, but you may select that you do not have a STIR/SHAKEN implementation obligation and explain that you lack control over the network infrastructure needed to implement STIR/SHAKEN. Your plan must still include your KYC, upstream vetting, analytics, and 24‑hour traceback practices. (eCFR)
Result: No SPC token or certificate management for you. Lower operational lift. You remain responsible for your RMD filing and mitigation program. (eCFR)
Scenario B: You have a STIR/SHAKEN obligation and want Viirtue to host signing
If you operate facilities or otherwise fall under the implementation rules, the new guardrails apply. You must obtain an SPC token and your own certificate, and you must control attestation. Viirtue can host the signing workflow using your certificate and your attestation decisions so you meet the 2025 requirements without building infrastructure from scratch. (Federal Register)
At‑a‑glance: Obligations by Provider Role
| Provider role | STIR/SHAKEN Requirement | RMD Filing Required | Block unlisted providers | Notes |
|---|---|---|---|---|
| Voice service provider with STIR/SHAKEN obligation | Yes | Yes | Yes | From Sep 18, 2025, certificate must be your own if any third party helps sign. (Federal Register) |
| Voice service provider without STIR/SHAKEN obligation (reseller without network control) | No | Yes | Yes | File as “no implementation” and document mitigation, KYC, upstream vetting, analytics, and 24‑hour traceback. (eCFR) |
| Intermediate provider | Authenticate if first non‑gateway in path for unauthenticated SIP calls | Yes | Yes | First intermediate must authenticate by Dec 31, 2023. (tlp.law) |
| Gateway provider | Implement STIR/SHAKEN on IP portions and maintain mitigation | Yes | Yes | Ongoing obligations apply to international ingress. (GovInfo) |
Compliance checklist for Viirtue partners
Confirm your role: reseller without control of network, or provider with an implementation obligation. (eCFR)
Prepare your RMD content: KYC procedures, upstream vetting, analytics, 24‑hour traceback commitment, and point of contact. (eCFR)
File or update in the RMD: use the FCC portal to submit your certification and mitigation plan, and update within 10 business days if anything changes. (Federal Communications Commission)
How Viirtue helps
PSTN with STIR/SHAKEN handled: when you use Viirtue PSTN without claiming a STIR/SHAKEN obligation, we sign calls on our network, and you focus on your RMD filing and mitigation program. (eCFR)
Hosted signing for obligated providers: if you must implement STIR/SHAKEN, we host the signing workflow using your certificate and attestation logic so you comply with the 2025 guardrails. (Federal Register)
RMD‑ready guidance: we provide partner resources that map our analytics, traceback response, and upstream vetting to the RMD disclosure fields required by the FCC. (eCFR)
Talk to us to confirm your role and choose the simplest compliant path.
Block unlisted providers: configure routing to refuse traffic from entities not listed in the RMD. This has been mandatory since May 28, 2024. (lermansenter.com)
If you have a STIR/SHAKEN obligation: obtain an SPC token via the STI‑PA and a certificate from an approved CA, and ensure your calls are signed with your certificate by September 18, 2025. Viirtue can host the signing for you. (Federal Register)
Not legal advice. Always consult counsel on your specific facts and filings.
The Takeaway
Staying compliant with the FCC’s robocall rules isn’t optional—every provider in the call chain has a role to play. Whether you’re an MSP reselling PSTN or a provider with a direct STIR/SHAKEN obligation, your Robocall Mitigation Database filing and 2025 authentication requirements must be handled correctly to avoid enforcement and traffic blocks.
Viirtue makes this process easier by signing calls on our network for resellers, or by hosting certificate-based signing workflows for providers that must implement STIR/SHAKEN themselves. The result: less complexity, faster compliance, and peace of mind.
Talk to Viirtue today to confirm your role and choose the simplest, most compliant path forward.
FAQ: STIR/SHAKEN and the Robocall Mitigation Database
Do I still need to file in the RMD if Viirtue signs my calls?
Yes. All providers in the call chain must maintain an RMD certification and mitigation plan. If you lack control over the infrastructure needed to implement STIR/SHAKEN, you may file as a provider without a STIR/SHAKEN obligation and include the required mitigation details. (FCC Docs)
What changed for third‑party STIR/SHAKEN in 2025?
Providers with a STIR/SHAKEN obligation must make attestation decisions and use their own certificate, even if a partner hosts the signing. Compliance date is September 18, 2025. (Federal Register)
What if I am only an agent and never originate or carry traffic?
If you are truly an agent and do not furnish voice service to end users, you may fall outside the provider definition.
Many white‑label arrangements still qualify as voice service providers because they furnish voice to end users using NANP resources. Review your contracts and traffic flows with counsel. (eCFR)
What happens if a provider is removed from the RMD?
Downstream providers must block that provider’s traffic. The FCC has removed non‑compliant filers and ordered industry‑wide blocking. (Federal Communications Commission)
