US compliance

STIR/SHAKEN Explained: Why Your US Calls Are Going to Spam

If your US outbound calls are getting answered with “Spam Likely” or “Scam Likely” on T-Mobile, Verizon, or AT&T — or worse, going straight to voicemail without ringing — the cause is almost always STIR/SHAKEN attestation. We explain attestation A vs B vs C, why most resold SIP trunking is stuck at B-attestation, and what it actually takes to get to A.

2026-04-26 · 8 min read

1. What STIR/SHAKEN actually is

STIR (Secure Telephony Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) are paired US/Canadian standards for digitally signing the calling-party information of a phone call as it traverses carrier networks. The signing happens at the originating carrier; the verification happens at the terminating carrier; the result rides along with the SIP INVITE as a JSON Web Token (JWT) in the Identity header.

The point: when a US/CA mobile carrier receives a call, it can verify that the calling number wasn't spoofed end-to-end — it was signed by a real, registered originating carrier with a known relationship to the number.

FCC rules required all US providers to implement STIR/SHAKEN by mid-2021. CRTC required Canadian providers by November 2021. So today, every legitimate US/CA originating carrier signs their outbound calls.

2. Attestation levels A, B, C — the part that actually matters for delivery

STIR/SHAKEN signs calls with one of three attestation levels. The originating carrier picks the level based on what they know about the call:

LevelMeaningWhat it asserts
A — Full AttestationVerified relationship between caller and Caller IDThe originating carrier (a) knows the caller, (b) verified the caller has the right to use the Caller ID number (allocated by them, ported in by them, or under verifiable authorization).
B — Partial AttestationKnown caller, unverified Caller IDThe originating carrier knows the caller (authenticated SIP, IP allowlist, etc.) but cannot verify the caller has the right to use the asserted Caller ID. Common for BYOC where the customer supplies the Caller ID.
C — Gateway AttestationCaller and Caller ID both unverifiedThe call originated outside the carrier's authentication boundary — e.g. an international transit call. Effectively “we don't know whose call this is.”

The single most important fact about attestation: mobile-carrier spam-analytics engines treat A, B, and C dramatically differently.

3. Why your calls get flagged as spam

US mobile carriers (T-Mobile, Verizon, AT&T) layer machine-learning spam detection on top of STIR/SHAKEN data. The ML model sees, for every inbound call to one of their subscribers:

  • Attestation level (A / B / C / unsigned)
  • Originating carrier OCN (the carrier that signed)
  • Calling number history (call volume, geographic dispersion, complaint rate)
  • Time of day, call frequency to this subscriber, etc.

What the ML does with this:

  • Unsigned or attestation C: very high spam probability. Frequently flagged, often blocked outright.
  • Attestation B: moderate spam probability. Increasingly flagged or sent to spam-likely UI on T-Mobile and others.
  • Attestation A: baseline. The call still gets evaluated on calling-number history, but the attestation itself doesn't drag the call down.

So if you're using a SIP trunk where your carrier signs your calls as B-attestation (because they don't have a verified relationship to your Caller ID), the calls are starting from a worse position than calls signed A-attestation, even when the actual content is identical.

4. What US mobile carriers actually do with the data

Each major US mobile carrier exposes different UX for the same underlying decision:

  • T-Mobile (incl. Sprint): “Scam Likely” label on caller ID, sometimes a separate “Spam Likely” label, or a complete block depending on score. Most aggressive of the three.
  • Verizon: “Spam Likely” or “Spam ?” labels. Verizon's Call Filter app (default on) blocks scoring above a threshold.
  • AT&T: “Spam Risk” or “Telemarketer” labels via ActiveArmor. Less aggressive on outright blocking than T-Mobile.

For commercial outbound (sales, support callbacks, AI voice agents), getting flagged eats your answer rate. Industry data on flagged calls: answer rate drops from ~40% to ~5% when a call is labeled “Spam Likely.” Even worse, customers tell their carrier the call was spam, which feeds back into the model and makes future calls from that number more likely to be flagged.

5. How to actually fix the spam-labels problem

Three fixes, in order of how much they actually move the needle:

Fix 1: Use a carrier that signs your calls with attestation A

This is the highest-impact lever. To get attestation A, the originating carrier needs to verify your right to use the Caller ID. That's straightforward when:

  • The DID was allocated to you directly by that carrier (e.g. DIDHub-provisioned numbers)
  • The DID was ported in to that carrier on your behalf (e.g. DIDHub-handled port-in)
  • The DID is under a verifiable authorization (Letter of Authority + signed DID-validation agreement)

If you're presenting a BYOC Caller ID that's not under your carrier's authentication boundary, you'll typically get B-attestation. The fix: either consolidate DIDs to a single carrier that can sign A, or provide that carrier with a DID-authorization (LOA) for the BYOC Caller ID so they can validate it.

Fix 2: Register on Caller ID reputation services

The big three carriers all publish reputation databases that take input from registered businesses. The main gateways:

  • FreeCallerRegistry (TransUnion / TruContact) — fed back into Verizon, AT&T, and T-Mobile reputation models
  • First Orion — primary input for AT&T's analytics
  • Hiya / Cequint — T-Mobile's primary data

Register your business name and phone numbers on these. Won't help if the underlying STIR/SHAKEN attestation is wrong, but it adds positive signal that helps the ML decide.

Fix 3: Manage call patterns

  • Don't blast 5,000 calls in an hour from one DID — rotate across a pool
  • Match Caller ID region to recipient region (a +1 415 calling Bay Area mobiles is fine; calling Florida mobiles looks suspicious)
  • Don't call repeatedly to non-answers; the ML treats that as a spam signal
  • Make sure your STIR/SHAKEN signing certificate isn't shared across thousands of unrelated customers (some low-cost carriers do this; the certificate gets globally flagged)

6. How DIDHub does it

For US/CA outbound, DIDHub signs every call with attestation A by default for DIDs allocated through us or ported in via us. We hold a STI-CA-issued certificate, run our own STIR/SHAKEN signing infrastructure, and the certificate is dedicated to DIDHub-allocated and DIDHub-ported numbers — not pooled across thousands of unrelated tenants.

For BYOC scenarios where you bring your own Caller ID, we'll either:

  • Ingest the DID under DIDHub-validated authorization (you sign an LOA-style document, we validate, A-attestation works), or
  • Sign with B-attestation if validation isn't possible (you'll know upfront and we don't pretend it's A)

For full coverage, see /regulatory for STIR/SHAKEN posture and /numbers/united-states for US-specific provisioning details. Or talk to sales for help fixing a current spam-labeling problem on a specific number range.

Bottom line

STIR/SHAKEN is real, mobile-carrier ML is real, and the answer-rate impact of getting it wrong is enormous. If your US calls are flagged, the fix is almost always at the carrier layer: get DIDs from a carrier that signs you with A-attestation, register your business on the reputation databases, and manage your calling patterns. The good news: once it's right, it stays right.

Ready to get a number?

Pick a DID in 130+ countries from $1.99/month. Activates instantly on most numbers.

Browse numbers Talk to sales