TL;DR: STIR/SHAKEN Compliance
Voice service providers concerned about STIR/SHAKEN compliance generally must implement STIR/SHAKEN in the IP portions of their networks and authenticate and verify caller ID for SIP calls, subject to extensions.
Intermediate providers must implement STIR/SHAKEN in IP networks, pass authenticated identity info unaltered downstream, and authenticate certain unauthenticated SIP calls (with specific gateway and non-gateway deadlines).
Non-IP networks have separate “upgrade or actively work on a non-IP authentication solution” requirements.
Third-party signing is allowed, but constrained: if you have a STIR/SHAKEN implementation obligation and use a third party to do the technical signing, you still must make attestation decisions, and calls must be signed with your certificate (not the third party’s).
2026 operational change: annual RMD recertification is required by March 1 (first deadline March 1, 2026), with the recertification window opening Feb 1, 2026.
Caller ID “trust” is no longer a nice-to-have for VoIP. If your outbound calls are unsigned, signed incorrectly, or your compliance paperwork is stale, you can run into lower answer rates, spam labeling, and business-level risk in the interconnect chain.
This guide breaks down what STIR/SHAKEN is, what the FCC rules require by provider role, what changed with third-party signing rules (effective Sept 18, 2025), and what’s new for 2026 with annual Robocall Mitigation Database recertification.
Disclaimer: Informational only, not legal advice. STIR/SHAKEN obligations can depend on your exact role, contracts, and network control.
1) What is STIR/SHAKEN Anyway?
STIR/SHAKEN is the industry framework for caller ID authentication on IP (SIP) calls.
STIR (IETF) defines the technical mechanisms to cryptographically assert and verify calling identity in SIP, including a signature header approach.
PASSporT is a signed token format used to carry identity assertions.
SHAKEN is the deployment framework and governance model used by service providers for certificate-based authentication in real telecom networks.
In practical terms, an originating provider signs call identity information, downstream providers can verify it, and analytics tools can use that signal to help reduce spoofing and improve trust.
2) The Roles That Determine Your Obligations (Why MSPs Must Pay Attention)
FCC rules don’t treat everyone in the call path the same. Your compliance requirements depend on your role in the traffic flow:
Voice service provider: a provider furnishing voice service to end users using North American Numbering Plan (NANP) resources.
Intermediate provider: a provider that carries or processes calls in the middle of the path (not originating or terminating).
Gateway provider: an intermediate provider that receives calls from foreign providers at a US gateway and transmits them downstream.
If you’re an MSP or reseller, the key question is: Do you “furnish” voice service and control infrastructure in a way that creates a STIR/SHAKEN implementation obligation, or are you downstream of a provider that performs signing?
The FCC’s 2025 third-party signing rule summary explicitly distinguishes providers with an implementation obligation from those who may be exempt or extended because they lack control over the network infrastructure needed to implement STIR/SHAKEN.
3) What “STIR/SHAKEN Compliance” Actually Means Under FCC Rules
Many people use “we do STIR/SHAKEN” as shorthand. Compliance is more specific than that, and different by role.
Voice service providers: implement STIR/SHAKEN compliance in IP networks and do the work of authentication + verification
Under 47 CFR § 64.6301, not later than June 30, 2021 (subject to extensions), a voice service provider must fully implement STIR/SHAKEN in its IP networks, including:
Authenticating and verifying the caller ID for SIP calls that stay on its own network
Authenticating caller ID for SIP calls that originate and exchange with other providers (and passing authenticated caller ID info downstream where technically feasible)
Verifying the caller ID for authenticated SIP calls that it receives and terminates
Intermediate providers: pass identity info downstream and authenticate certain unauthenticated traffic
Under 47 CFR § 64.6302, not later than June 30, 2021, intermediate providers must implement STIR/SHAKEN in IP networks and:
Pass authenticated caller ID info unaltered to the next provider (with narrow exceptions)
Authenticate calls they receive that lack authenticated caller ID info and that they’ll exchange as SIP calls, unless they meet the traceback-participation exception
Gateway providers must authenticate certain unauthenticated calls by June 30, 2023
Non-gateway intermediate providers receiving calls directly from an originating provider must authenticate certain unauthenticated calls by December 31, 2023 (unless extended)
Non-IP networks: upgrade or actively participate in a non-IP authentication solution
If your network relies on technology that can’t initiate/maintain/terminate SIP calls, you don’t just ignore STIR/SHAKEN. The rule structure forces an “upgrade or prove active work toward a non-IP solution” approach with deadlines by provider type.
4) Extensions You Need to Understand (Because “Deadline” Depends on the Facts)
Extensions exist, but they have conditions. Highlights from 47 CFR § 64.6304:
Small voice service providers are exempt from § 64.6301 through June 30, 2023, with specified carve-outs and conditions.
Providers that cannot obtain an SPC token due to Governance Authority policy have exemptions until capable of obtaining one.
Portions of networks that are non-IP are treated as subject to a continuing extension, but providers then must comply with the “non-IP network” obligations under § 64.6303 for those portions.
Takeaway: You cannot assume you’re exempt forever. Your role and infrastructure control determine whether you have an implementation obligation.
5) Attestation Levels (A, B, C) and Why They Matter Operationally
Even when you are “signing,” you still need to sign at the correct attestation level, based on what you actually know and have verified.
One widely cited framing from SHAKEN standards is:
Full attestation: You originate the call onto the IP network, you have a direct authenticated relationship with the customer, and you have a verified association with the calling number.
Partial attestation: You originate the call, you know the customer, but you have not verified the association with the calling number.
Gateway attestation: You have no relationship with the call originator (often relevant for gateways).
Why this matters: Attestation is not “set and forget.” Your onboarding (KYC), number assignment/porting controls, and reseller workflows directly influence whether you can safely issue A-level attestations.
6) The 2025 Change: Third-party Signing is Allowed, but the Certificate and Attestation Cannot Be Outsourced
This is one of the most misunderstood changes, and it is extremely relevant for MSPs using “hosted SHAKEN” or carrier-hosted signing.
The FCC’s 2025 Federal Register summary states that providers with a STIR/SHAKEN compliance implementation obligation may engage third parties to perform the technological act of signing calls, so long as:
The obligated provider makes the attestation-level decisions, and
Calls are signed using the obligated provider’s certificate, not the third party’s.
It also explicitly requires providers with a STIR/SHAKEN implementation obligation to obtain an SPC token from the Policy Administrator and present it to a Certificate Authority to obtain a digital certificate, plus recordkeeping requirements for third-party authentication arrangements.
Practical MSP takeaway: If you are “outsourcing STIR/SHAKEN,” you still need to ask:
Who controls attestation decisions?
Whose certificate signs the traffic?
Do we have the right SPC token and certificate chain for the entity with the obligation?
7) The 2026 Change: Annual RMD Recertification and “Compliance Hygiene” Becomes Mandatory
Even if your signing and verification are working, the FCC has doubled down on the operational side: keeping filings accurate, up-to-date, and recertified.
A Jan 22, 2026, FCC Public Notice states:
The effective date of 47 CFR § 64.6305(h) is February 5, 2026.
Filers must recertify RMD filings by March 1, 2026, and the recertification window opens February 1, 2026.
The FCC also announced effective dates for increased base forfeiture amounts: $10,000 for false/inaccurate RMD info and $1,000 for failure to update the RMD within 10 business days when required.
CORES information tied to your FRN must be updated within 10 business days of changes, with an effective date of Feb 5, 2026 (per the same Public Notice).
There is also mention that a $100 application fee requirement for initial submissions and annual recertifications was noted as not yet effective at the time of that Public Notice.
8) At-a-Glance: FCC STIR/SHAKEN Compliance Obligations by Role
Role | Core obligation | Key deadline(s) |
|---|---|---|
Voice service provider | Implement STIR/SHAKEN in IP networks; authenticate and verify caller ID for SIP calls (subject to extensions) | |
Intermediate provider | Implement STIR/SHAKEN in IP networks; pass authenticated identity unaltered; authenticate certain unauthenticated SIP calls | June 30, 2021 baseline; gateway auth by June 30, 2023; non-gateway auth by Dec 31, 2023 |
Non-IP network portions | Upgrade to SIP and fully implement, or prove active participation/testing toward a non-IP authentication solution | |
Providers using third-party signing (and have an implementation obligation) | Third party can do technical signing, but you must control attestation; calls must be signed with your certificate; obtain SPC token; keep records | |
RMD filers | Annual RMD recertification |
9) Practical STIR/SHAKEN Compliance Checklist for MSPs and VoIP Providers
Step 1: Classify your role and your level of network control
Are you the originating voice service provider?
Are you an intermediate provider (including gateway)?
Are you a reseller relying on an upstream provider’s switching/signing?
Your classification drives whether you have a STIR/SHAKEN implementation obligation and whether third-party signing rules apply to you as the obligated entity.
Step 2: Build a number and customer verification process that supports correct attestation
If you want higher-trust attestations, your operational processes matter: customer identity verification, number assignment/porting integrity, and reseller oversight. Attestation is defined by what you can confidently verify.
Step 3: Get into the SHAKEN governance and certificate ecosystem
At a minimum, the workflow typically involves:
registering in the SHAKEN ecosystem (Policy Administrator, Governance Authority context)
obtaining an SPC token
using it to request a certificate from an approved Certification Authority
The STI-GA describes its role working with IETF STIR and the ATIS/SIP Forum SHAKEN specification and governance rules for certificate infrastructure.
Step 4: Implement signing and verification correctly (and don’t break the identity header)
Intermediate providers have explicit duties to pass authenticated caller ID info downstream unaltered (with narrow exceptions). If identity is stripped in the middle, downstream verification suffers.
Step 5: If you rely on a third party for signing, verify you meet the 2025 guardrails
If you have the implementation obligation:
You must make attestation decisions
Calls must be signed with your certificate
You must obtain an SPC token and certificate
You must maintain records for third-party authentication arrangements
Step 6: Operationalize annual RMD recertification and ongoing updates
Treat this like a compliance SLO:
Add recurring reminders for February (recert window) and March 1 (deadline)
Assign ownership to a person and a backup
Make “10 business day updates” part of your change-control process (company name changes, address, contacts, mitigation vendor changes, etc.)
10) How Viirtue Fits Into a Compliance-first VoIP Stack
From a go-to-market standpoint, many MSPs want to sell voice while minimizing carrier-grade regulatory overhead. Viirtue positions STIR/SHAKEN as part of “trust and compliance built in” across its VoIP offerings, stating that calls are properly signed to help avoid spam labeling and improve answer rates.
If you want a broader compliance view beyond STIR/SHAKEN (RMD, traceback timelines, traffic gating), Viirtue’s robocall mitigation write-up is a useful companion piece to internally link from this post.
STIR/SHAKEN Compliance Requirements Are Only Getting Stricter
Staying compliant in 2026 means more than flipping a switch. It means knowing your role in the call path, owning your certificate chain, keeping your RMD filing current, and building processes that hold up when the FCC comes looking.
For MSPs and resellers, the easiest way to get this right is to partner with infrastructure that has compliance baked in from the start.
If you want to offer white-label VoIP without inheriting a compliance mess, learn more about becoming a Viirtue white-label partner and see how we handle the heavy lifting so you can focus on growing your business.
FAQ: STIR/SHAKEN Compliance Requirements
Do MSPs need to implement STIR/SHAKEN?
Sometimes yes, sometimes no. The FCC rules apply based on your role and whether you control the network infrastructure necessary to implement STIR/SHAKEN. Many reseller/white-label models still qualify as “voice service providers” for other obligations, so you should map your traffic and contracts carefully. (Federal Register)
If my upstream carrier signs calls, am I done?
Not necessarily. If you are the entity with a STIR/SHAKEN implementation obligation and you use a third party for technical signing, you still must control attestation decisions, and calls must be signed with your certificate. (Federal Register)
What is an SPC token?
An SPC token (Service Provider Code token) is a credential used in the SHAKEN ecosystem to obtain certificates. The FCC’s third-party signing rules explicitly require providers with an implementation obligation to obtain an SPC token from the Policy Administrator and use it to obtain a certificate from an approved Certificate Authority. (Federal Register)
When is the annual RMD recertification due?
The FCC Public Notice released Jan 22, 2026, reminds filers that annual recertification is required by March 1, 2026, with the recert window opening Feb 1, 2026. (FCC Docs)
