STIR/SHAKEN Explained: Why Your Call Shows Spam Likely (2026)
STIR/SHAKEN authenticates phone calls to combat caller-ID spoofing. Mandatory in US (FCC) and Canada (CRTC). Learn how the framework works, what A/B/C attestation levels mean, why your call shows "Spam Likely" — and how to fix it in 2026.
If your phone shows “Spam Likely”, “Scam Likely” or “Potential Spam”on incoming calls — or if your own calls keep getting that label and people don't pick up — the system doing that labelling is called STIR/SHAKEN. It's a call-authentication framework mandated by the US Federal Communications Commission (FCC) since 2021 and expanded in April 2026 to cover gateway providers handling international traffic. Canada's CRTC has adopted the same framework; the UK and most of the rest of the world have not. This guide explains how STIR/SHAKEN actually works, what the attestation levels mean (A, B, C), why your call gets labelled, what you can do about it as a caller, and why VoIP calls from outside the US increasingly struggle to reach US recipients without “Spam Likely” treatment.
STIR/SHAKEN in 60 seconds
- What it is: a cryptographic framework that lets phone networks verify that a call really came from the number it claims to be from.
- Why it exists:to combat caller-ID spoofing — the technique scammers use to make robocalls appear to come from your neighbour or your local bank.
- Where it operates: mandatory in the US (FCC) and Canada (CRTC). Optional / experimental in the UK and Australia. Not adopted in most of the rest of the world.
- What you see:“Spam Likely”, “Scam Likely”, “Potential Spam”, or the call going straight to voicemail without ringing.
- What it means for you:if you're calling US/Canadian numbers from a free VoIP service or an unverified carrier, expect labelling. If you're receiving calls, the labels are usually right but not always.
What “STIR/SHAKEN” Actually Stands For
Two acronyms describing two parts of the same framework:
- STIR = Secure Telephone Identity Revisited. An IETF protocol standard (RFC 8224 and related) that defines the cryptographic signatures used to authenticate caller identity. It's the “math” layer.
- SHAKEN = Signature-based Handling of Asserted information using toKENs. A framework developed by the ATIS / SIP Forum that defines how telephone carriers actually deploy STIR in their networks. It's the “plumbing” layer.
In practice, you'll see them written together as STIR/SHAKEN(or sometimes “SHAKEN/STIR”), and they're used interchangeably for the framework as a whole. The combined name is partly an industry joke about cocktail-making — James Bond's “shaken, not stirred” martini.
How a STIR/SHAKEN Call Works (Plain English)
When you make a call in a STIR/SHAKEN-enabled network, four things happen behind the scenes between you pressing call and the other phone ringing:
Step 1: Your carrier checks if you own the number
Your originating carrier (the one you're calling from) checks its records. Does this customer actually have the right to use this caller ID? Are they calling from a number they own, or one they've been authorised to use? This check produces an attestation level (more on that below).
Step 2: A cryptographic signature is attached
Your carrier signs the call header with its private key, embedding the attestation level into a SIP Identity header. This signature can be verified by anyone in the chain using the carrier's public certificate.
Step 3: The call routes through the network
The call passes through intermediate carriers and routing networks. The signature stays with the call header. As of April 2026, the FCC mandate requires gateway providers (carriers that handle international traffic) to also participate, so foreign-originated calls now get an attestation when they cross into the US.
Step 4: Recipient's carrier verifies the signature
The recipient's carrier looks up the originator's public certificate, verifies the signature, and reads the attestation level. Based on that, plus its own spam-scoring algorithms, the recipient's phone may display the call as normal, with a verified-call badge, with a “Spam Likely” label, or block it entirely.
The Three Attestation Levels (A, B, C)
This is the part most consumers don't know exists but that determines how a call is treated by US/Canadian carriers. Every STIR/SHAKEN-signed call is assigned one of three attestation levels:
| Level | Name | What It Means | Likely Treatment |
|---|---|---|---|
| A | Full Attestation | Originating carrier verified both the customer identity AND that they have the right to use the caller ID | Pass through normally; may show “Verified” badge on newer phones |
| B | Partial Attestation | Originating carrier verified the customer identity but cannot verify the customer is authorised to use this specific caller ID | Often passes through; some carriers may flag |
| C | Gateway Attestation | Carrier only confirms the call entered their network (typically used for international traffic where the originating carrier is unknown) | High risk of “Spam Likely” label or outright blocking |
Critical for international callers:if you're calling a US or Canadian number from outside North America, your call typically gets a C-level attestation from the US gateway provider — even if your call is perfectly legitimate. This is why calls from a UK landline, an Indian mobile, or a Saudi STC number to a US number can show “Spam Likely” on the recipient's phone. It's not because the system thinks you're a scammer — it's because the system can't verify you aren't.
Why You See “Spam Likely” on Incoming Calls
The label is generated by your phone carrier (T-Mobile, AT&T, Verizon, Bell, Rogers, etc.) based on a combination of signals:
- STIR/SHAKEN attestation level— A passes cleanly; C is the highest risk; B sits in the middle.
- The carrier's own spam-scoring algorithm— takes into account call patterns, complaint history of the originating number, and machine- learning models trained on known robocall traffic.
- Third-party reputation feeds— services like First Orion, Hiya, RoboKiller and Truecaller share spam-number databases that influence labelling.
- User reports— calls reported as spam by enough users get flagged faster.
Each US carrier uses a slightly different spam-label algorithm and even slightly different language on the screen. T-Mobile and Sprint show “Scam Likely” as a label on the dial-out side. AT&T uses “Spam Risk”. Verizon uses “Potential Spam”. They're all the same underlying signal.
Why Your Outgoing Calls Show as Spam (And How to Fix It)
If your own calls keep getting labelled “Spam Likely” on recipients' phones — for example you're a small business owner whose customers keep ignoring your calls — the cause is almost always one of:
1. Your provider isn't STIR/SHAKEN-compliant
Fix:switch to a carrier or VoIP provider that signs with A-level attestation. Major US carriers (AT&T, Verizon, T-Mobile) all sign. Reputable business VoIP (RingCentral, 8x8, Vonage) sign. Many cheap or international VoIP services do not.
2. You're calling from a number not properly registered to you
Fix:ensure your business number is registered to your business entity with the carrier. The originating carrier checks ownership before assigning A-level. If you're using a borrowed or rented number, attestation drops to B or C.
3. Your number has been reported as spam
Fix:register with the major spam-database providers (Hiya, First Orion, Free Caller Registry) to assert your number is a legitimate business and request the label be removed. This usually takes 2–4 weeks to propagate.
4. You're calling from outside the US/Canada
Fix: use a VoIP service that maintains a verified US presence and signs outbound calls with A-level attestation. Most consumer VoIP services do not; business-grade VoIP providers with US infrastructure do.
5. You're making high call volumes
Fix: spam-scoring algorithms penalise high-volume callers (especially short calls with low answer rates), regardless of legitimacy. Slow the cadence, increase the answer rate (target known-good lead lists), and consider rotating between multiple numbers.
STIR/SHAKEN Around the World (2026)
The framework was developed primarily in the US through the FCC's implementation of the TRACED Act (Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, signed December 2019). Major adoption status as of mid-2026:
| Country / Region | Adoption Status | Notes |
|---|---|---|
| United States | Mandatory since June 2021; gateway providers from April 2026 | FCC TRACED Act mandate; Robocall Mitigation Database required |
| Canada | Mandatory since November 2021 | CRTC adopted the framework with US-compatible implementation |
| United Kingdom | Considered but not adopted | Ofcom uses a separate “CLI presentation” framework |
| European Union | Patchy adoption | No EU-wide mandate; some national regulators considering |
| Australia | In progress | ACMA developing CLI authentication; not STIR/SHAKEN exactly |
| India | No adoption | TRAI focused on other regulatory priorities |
| UAE / Saudi Arabia / GCC | No adoption | TDRA / CST focused on VoIP licensing rather than call authentication |
| Most of Africa, MENA, Asia | No adoption | Robocall pressure lower; cost of implementation high |
How STIR/SHAKEN Affects International Callers
The April 2026 FCC expansion to gateway providers is the part that matters most for international calling. Before April 2026, calls originating outside the US arrived in the US with no STIR/SHAKEN signature at all — they were treated like unattested calls in general, with carriers applying their own spam-scoring. After April 2026, the US gateway provider (the carrier that handles inbound international traffic) is required to assign at least a C-level attestation, which often results in the call being labelled “Spam Likely”.
For a diaspora caller in Dubai trying to reach family in California, this means:
- Your call rings; sometimes it's labelled “Spam Likely” on arrival.
- Your relative may decline to pick up unless they recognise your number.
- The likelihood of labelling depends on the routing path — calls that go through major direct-route carriers fare better than calls through grey-market wholesale carriers.
- A verified outbound caller ID (showing your real number rather than “Unknown”) significantly reduces the chance of automatic labelling.
Practical implication for VoIP services:when comparing browser- based calling services, the ones that maintain US/Canadian carrier relationships and provide A-level attestation for outbound calls are dramatically more likely to reach the recipient's phone without spam labelling. This is one of the quiet but important differences between consumer free-call services (which often can't attest) and reputable VoIP providers (which can).
Common Misconceptions
“STIR/SHAKEN blocks scam calls”
Not directly. STIR/SHAKEN authenticatescalls — it makes spoofing harder. The actual blocking and labelling decisions are made by the recipient carrier's spam-scoring algorithm based on attestation level plus other signals. The framework hasn't eliminated robocalls; reduction estimates run 20–40% since 2021 in the US.
“If I get a STIR/SHAKEN A-level call, it's definitely legitimate”
Not exactly. A-level means the originating carrier verified the customer is authorised to use the caller ID. A scammer who legitimately owns a phone number can still make scam calls with A-level attestation. The label means “identity verified”, not “not a scammer”.
“If I see Spam Likely, it's definitely spam”
Often, but not always. Legitimate calls can get the label too — especially international calls, calls from small businesses without proper STIR/SHAKEN implementation, or calls from numbers with bad reputation history. False positives are common enough that you should consider context (are you expecting a call from this area code?) before declining.
“Calling from a VPN bypasses STIR/SHAKEN”
No — STIR/SHAKEN operates on the telephony signalling layer, not the internet IP layer. A VPN changes what websites think your IP is; it has no effect on how phone carriers authenticate your calls. The two systems are entirely separate.
How to Check Your Number's Spam Reputation
If you're concerned your business or personal number is being labelled, several services let you check the current spam-reputation status:
- Free Caller Registry— the industry-shared registry where businesses can register legitimate numbers. Most major spam-database providers consult this.
- Hiya / First Orion / RoboKiller / Truecaller— check each service's number-lookup tool to see if your number is flagged in their database.
- YouMail Robocall Index— aggregate data on robocall patterns; if your number appears here it's flagged across multiple databases.
- Your phone provider's portal— some business-tier providers expose the STIR/SHAKEN attestation level you're currently being assigned on outbound calls.
How BubblyPhone Handles STIR/SHAKEN
BubblyPhone calls to US/Canadian numbers transit through our wholesale carrier partners that maintain STIR/SHAKEN compliance. Outbound calls are signed with the appropriate attestation level based on the verified caller ID you've configured on your account. This is one reason why our calls typically reach the recipient's phone without “Spam Likely” labelling — in contrast to anonymous browser dialler services where the call arrives unattested and gets flagged. For non-US/Canadian destinations, STIR/SHAKEN doesn't apply (those countries haven't adopted the framework), so the question is moot.
Calls That Actually Reach Their Destination
BubblyPhone signs outbound calls to US/Canadian numbers with STIR/SHAKEN attestation so your call doesn't show as “Spam Likely”. 30 minutes free credit on signup. Browser-based, no app to install.
Get 30 Free Minutes →Common Questions
What does “Scam Likely” mean on my phone?
The label is generated by your carrier's spam-detection system based on a combination of STIR/SHAKEN attestation level, the carrier's own spam-scoring algorithm, third-party reputation databases, and user reports. It indicates the carrier has flagged the call as having a high probability of being spam, but it's not always accurate — legitimate calls (especially international ones) can be labelled too.
Is STIR/SHAKEN required by law?
In the US, yes — mandated by the FCC's implementation of the TRACED Act since June 2021. In Canada, yes — mandated by the CRTC since November 2021. In the UK, no — Ofcom uses a different framework. In the EU, patchy adoption with no EU-wide mandate. Most of the rest of the world hasn't adopted it.
What is an attestation level?
The STIR/SHAKEN signature on a call includes one of three attestation levels. A (Full): the originating carrier verified the customer identity and right to use the caller ID. B (Partial): verified customer but cannot verify caller ID authorisation. C (Gateway): only confirmed the call entered the carrier's network — typical for international traffic. C-level attestation is the most likely to be labelled “Spam Likely” on the recipient's phone.
Why do my outgoing calls show as Spam Likely?
Five common causes: (1) your provider isn't STIR/SHAKEN compliant or signs with low attestation; (2) the number isn't properly registered to you with the carrier; (3) the number has been reported as spam by users or appears in spam databases; (4) you're calling from outside the US/Canada where gateway attestation defaults to C; (5) you're making high call volumes with low answer rates. Fix by registering with Free Caller Registry / Hiya / First Orion, switching to a STIR/SHAKEN-compliant provider, and pacing your call volume.
Does STIR/SHAKEN apply to international calls?
Yes for calls enteringthe US or Canada — since April 2026, US gateway providers must apply at least a C-level attestation to international inbound traffic. STIR/SHAKEN does NOT apply to calls between non-US/non-Canada countries (e.g. UAE to India), because those countries haven't adopted the framework.
Can scammers still spoof caller ID with STIR/SHAKEN in place?
Yes, but it's harder than it was pre-2021. Sophisticated scammers obtain legitimate phone numbers (sometimes through SIM swaps, hijacked business accounts, or off-shore VoIP providers without proper attestation) and use them for short windows before they get flagged. STIR/SHAKEN has reduced overall robocall volume by an estimated 20–40% in the US since 2021, not eliminated it.
Does STIR/SHAKEN work over Wi-Fi calls?
Yes — STIR/SHAKEN operates at the signalling layer (SIP), not at the transport layer. Whether the call travels over Wi-Fi, mobile data, or cellular voice channel doesn't affect the authentication. Both Wi-Fi calling on your iPhone and a standard mobile call get the same attestation treatment.
What is the TRACED Act?
Telephone Robocall Abuse Criminal Enforcement and Deterrence Act — signed into US law in December 2019 by President Trump. It required US phone carriers to implement STIR/SHAKEN by June 30, 2021, enabled the FCC to fine robocall violators up to $10,000 per call, and created the Robocall Mitigation Database. The April 2026 FCC expansion to gateway providers is part of the ongoing implementation of TRACED Act authority.
Related Resources
WhatsApp Voice Blocked by Country
A separate but related call-restriction phenomenon
Free Call No Signup
Why no-signup services get spam-flagged
Spam Number Checker
Look up if a number is reported as spam
TextNow Alternative
Free-number services and spam risk
Free Calls Online
Caller-ID considerations for browser callers
Cheap International Calls
How international calling and STIR/SHAKEN interact