STIR/SHAKEN for Outbound Call Centers — A Practical Guide

What STIR/SHAKEN Is

STIR/SHAKEN is a set of technical standards and regulatory mandates designed to authenticate the origin of telephone calls traversing the North American PSTN. The acronym expands to Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted information using toKENs (SHAKEN).

The practical problem it addresses: caller ID spoofing. For decades, any carrier or piece of equipment could present any caller ID number it chose, with no verification that the originating party actually controlled that number. Robocall operators exploited this to impersonate government agencies, banks, and neighbors. STIR/SHAKEN introduces cryptographic signing at the originating carrier level so that terminating carriers can verify whether the presented caller ID is legitimate.

The framework was mandated in the US by the TRACED Act (2019) and the FCC's subsequent rules requiring all voice service providers to implement STIR/SHAKEN or file a robocall mitigation certification. Canada followed with CRTC mandates aligned to the same technical standards. Implementation deadlines have passed — the framework is active today on all major US and Canadian carrier networks.

How the Signing Process Works

When an outbound call originates on UnlimCall's network with a US or Canadian number, the following sequence occurs at the network layer:

1. Originating carrier verifies number ownership. UnlimCall confirms that the presented caller ID number is assigned to the calling party's account. This is a prerequisite for Full Attestation.

1. A PASSporT token is generated. A JSON Web Token (JWT) containing the originating number, the destination number, a timestamp, and an attestation level is created and cryptographically signed using a private key issued by a SHAKEN Certificate Authority.

1. The token is attached to the SIP INVITE. The signed token travels with the call through the SIP signaling path in the Identity header. It does not travel on the audio (RTP) path.

1. Terminating carrier verifies the signature. When the call arrives at the terminating carrier, the Identity header is validated against the originating carrier's public certificate. If the signature is valid and the certificate chain is trusted, the call is marked as authenticated.

1. The result is displayed (or not) to the recipient. Carriers and device analytics services use the verification result as one signal among many when deciding whether to flag, label, or pass the call cleanly.

Attestation Levels: A, B, and C

STIR/SHAKEN defines three attestation levels that indicate how much the originating carrier knows about the calling party and the number being presented.

A — Full Attestation. The carrier has verified that the customer is authorized to use the presented number and that the number is assigned to that customer's account. This is the strongest attestation level and the most favorable signal for terminating networks. UnlimCall signs US and Canadian calls at A-level attestation where origination conditions are met.

B — Partial Attestation. The carrier has authenticated the customer (knows who placed the call) but cannot fully verify the customer's right to use the specific caller ID presented. This happens when a customer presents a number they control that was not provisioned through the originating carrier. B-level attestation is better than unsigned but weaker than A.

C — Gateway Attestation. The carrier received the call from a gateway at the edge of its network and cannot verify either the calling party's identity or their right to use the presented number. C-level is applied to calls arriving from untrusted upstream interconnects. It provides minimal trust signal.

The attestation level is embedded in the PASSporT token and is visible to any carrier that validates the signature. Terminating carriers may weight calls differently depending on attestation level when applying spam scoring or call display logic.

Why This Affects Answer Rates

A signed call is not a guaranteed clean call — STIR/SHAKEN is one signal among many that carriers and analytics platforms use. But an unsigned call, or a call with C-level attestation, is more likely to be treated with suspicion by downstream analytics engines.

The practical effect varies by terminating carrier:

• Major US mobile carriers (AT&T, Verizon, T-Mobile) display a verified caller ID indicator on calls that pass STIR/SHAKEN validation on some handsets and plans.
• Third-party analytics platforms (Hiya, First Orion) incorporate STIR/SHAKEN status into their reputation scoring. A signed call from a known originator is less likely to receive a "Spam Likely" overlay.
• Some terminating carriers apply stricter filtering or call blocking policies to unsigned traffic, particularly on routes with high robocall complaint rates.

For outbound call centers, the cumulative effect is real: unsigned traffic from the same number that signed traffic from a different carrier sees meaningfully lower answer rates over time, even with identical dialing patterns. This is most pronounced in the US consumer market.

What UnlimCall Does at the Network Layer

UnlimCall's US and Canadian origination infrastructure is built to support STIR/SHAKEN signing for calls placed on numbers provisioned through the platform. Specifically:

• US and Canadian DIDs provisioned at onboarding are registered under UnlimCall's originating carrier authority, which holds the necessary SHAKEN certificate.
• Outbound calls presenting those numbers are signed with Full Attestation (A-level) where the number-to-account relationship can be verified at the time of origination.
• The Identity header is attached to the SIP INVITE and preserved across UnlimCall's network to the interconnect with the terminating carrier.

STIR/SHAKEN applies to US and Canadian numbers only. The framework does not exist in other markets — Europe, Australia, LATAM, and Asia-Pacific do not have equivalent mandated call authentication standards as of the date of this guide, though some national-level initiatives are in development.

UnlimCall does not guarantee regulatory compliance, answer rates, or call delivery outcomes. Customers are responsible for their own compliance posture and should consult qualified legal and regulatory counsel for their specific use case.

How to Preserve Attestation Through Your PBX

STIR/SHAKEN signing is done at the originating carrier level, but the signed Identity header must survive the entire SIP path from UnlimCall's edge to the terminating carrier. If your PBX strips or rewrites the Identity header, the verification fails at the far end and the call arrives unsigned.

Asterisk / FreePBX: Asterisk passes the Identity header transparently by default in recent versions (16+). Confirm your trunk configuration does not have header stripping enabled. Avoid using PJSIP_HEADERS channel variable manipulations that target the Identity field.

Kamailio / OpenSIPS: These B2BUAs rewrite headers by default. You must explicitly configure header passthrough for the Identity header using append_hf or equivalent mechanisms. Stripping is common in security-focused configurations — verify end-to-end.

GoHighLevel and hosted dialers: Hosted dialer platforms manage SIP internally. Check with your platform vendor whether their SIP layer passes the Identity header intact. If the platform performs B2B re-origination internally, the original attestation will not survive regardless of the originating carrier.