STIR/SHAKEN Implementation: Why Low-Tier Carriers Are Creating Security Gaps
- Jon Elhardt
- Jun 17
- 8 min read

STIR/SHAKEN implementation has cut unwanted robocalls by 60% since 2019. Americans got 68 billion unwanted calls in 2024. This shows real improvement compared to the pre-pandemic peak of 106.9 billion.
We have a long way to go, but we can build on this progress. Your protection from spam calls largely depends on your carrier's handling of communications. The FCC required almost all carriers to implement the STIR/SHAKEN framework by June 30, 2023.
This created a clear divide in call authentication. The top seven US carriers properly sign 86% of their traffic, and more than 90% get the highest level attestation. The smaller carriers lag behind with less than 30% of calls meeting STIR/SHAKEN requirements.
This gap in authentication leaves serious security holes open. The FCC has flagged 2,400 Voice Service Providers for missing the STIR/SHAKEN deadline and mandate requirements. Major carriers have adapted well to the changes. Small carriers signed only 21% of calls under the framework in 2023, up slightly from 15% in 2022. On top of that, 89% of spam calls come from non-mobile lines where these protections don't work as well.
In this piece, you'll learn about how the STIR/SHAKEN framework operates, why smaller carriers create security gaps, and what this means for your safety against new voice scams.
STIR/SHAKEN Rollout and the FCC Mandate Timeline

The Federal Communications Commission (FCC) created a phased approach for the STIR/SHAKEN framework implementation. The 3-year old rules required large voice service providers to implement the framework in the IP portions of their networks by June 30, 2021. This staged rollout showed the complex technical challenges of creating a nationwide call authentication system.
June 30, 2023: Final STIR/SHAKEN Deadline for IP Networks
The FCC's roadmap concluded with the June 30, 2023 deadline—a final major milestone for STIR/SHAKEN compliance in IP-based voice networks. Small facilities-based voice service providers with fewer than 100,000 subscriber lines and gateway providers had to meet this date. The Commission emphasized that STIR/SHAKEN "becomes more effective as more providers implement it". This network effect plays a crucial role in the framework's success.
STIR/SHAKEN Requirements for Tier-1 vs Low-Tier Carriers
Carrier tiers faced different requirements. Tier-1 carriers achieved substantial progress with 85% of traffic between major carriers properly signed in 2023. Small carriers fell behind with only 21% of calls signed in 2023—up slightly from 15% in 2022. Only 17% of calls from Tier-1 to smaller carriers arrived with signatures, which exposed a major authentication gap.
Small operators struggled with the compliance burden. FCC regulations require all providers to file certifications in the Robocall Mitigation Database. These certifications must state whether they have fully, partially, or not implemented STIR/SHAKEN. Other providers can reject traffic from non-compliant providers after September 28, 2021.
How the TRACED Act Enforced Call Authentication Standards
The Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act laid the legal groundwork for these mandates. The FCC had to:
Mandate STIR/SHAKEN implementation within 18 months unless voluntary adoption occurred within 12 months
Address implementation barriers, especially for smaller carriers
Create a safe harbor to encourage call authentication and blocking
The Act acknowledged technological limitations, especially for non-IP networks. The FCC required providers using older technology to upgrade to IP or develop caller ID authentication solutions for non-IP networks. Every provider must also create robocall mitigation programs whatever their STIR/SHAKEN implementation status.
Authentication Gaps Created by Low-Tier Carriers

Small carriers lag behind large ones in implementing STIR/SHAKEN framework. This creates major authentication vulnerabilities that weaken caller ID authentication in the entire telecommunications ecosystem.
Only 21% of Small Carrier Calls Signed in 2023
Small carriers still struggle with STIR/SHAKEN implementation compared to larger providers. Only 21% of calls from smaller carriers were signed in 2023, up slightly from 15% in 2022. Traffic between Tier-1 carriers and smaller providers shows just 17% of calls arrive with proper signatures. Large carriers perform better with an 85% signing rate.
The situation keeps getting worse. The call authentication gap between large and small carriers doubled in the first half of 2023. This creates security weak spots across the voice network.
Call Attestation Disparity: A vs B/C Level Signing
Call signatures offer different levels of protection. Tier-1 carriers achieve 95% of voice traffic with "A" attestation, which proves both caller identity and number ownership. Calls with B or C attestation are riskier - data shows B-level attestation calls were 4.4 times more likely to be robocalls.
The quality gap in attestation tells a clear story:
B-level attestation calls had 22% robocall content over six months
C-level attestation calls showed 18.6-24.5% robocalls in early 2023
VoIP-Originated Traffic as a Primary Exploit Vector
Bad actors choose VoIP networks as their main target for robocall campaigns. VoIP numbers generated 70% of all unwanted traffic in the first half of 2023. The digital nature of VoIP systems and their connection challenges make them perfect targets.
We have a long way to go, but we can build on this progress. VoIP-originated signed traffic jumped from less than 20% in 2022 to nearly 60% by Q3 2023. Fraudulent callers will keep finding ways to exploit these technical gaps until every network type fully implements the framework.
Technical and Operational Barriers to Compliance

Small voice service providers encounter several technical obstacles as they try to implement STIR/SHAKEN framework requirements. These challenges explain the widening authentication gap and create ongoing security vulnerabilities in telecommunications networks of all sizes.
Legacy TDM Systems Blocking SIP Interoperability
Technical incompatibility creates the foundation of STIR/SHAKEN compliance issues. The STIR/SHAKEN framework works only on IP networks, which means providers using older TDM technology can't authenticate or verify calls under this framework. Small carriers who have implemented STIR/SHAKEN still face disruptions in call signing due to legacy tandem hops in their network chain. Destination carriers receive unsigned call traffic, which undermines STIR/SHAKEN's intended value.
Lack of SIP Peering and Interconnectivity Failures
Rural and smaller providers face interconnectivity problems because their networks depend heavily on legacy TDM tandems to handle intercarrier calls. Carriers need to meet at "carrier hotels" or designated interconnection points for traditional interconnection. Many smaller providers with limited subscriber lines can't justify dedicated physical connections due to bandwidth requirements. TNS data shows that better call signing needs solutions that provide smooth connectivity. This would help non-tier-1 carriers connect to thousands of networks without setting up individual peering arrangements.
Manual Traceback Processes in Unsigned Call Chains
Providers must use old, manual methods to trace calls without STIR/SHAKEN signature data. They need to figure out how a call reached a switch and contact each provider in the chain one by one. This tedious process substantially reduces the framework's effectiveness.
Financial Constraints Slowing Network Modernization
Money creates the biggest barrier to implementation. Non-top carriers struggle with financial pressures and higher maintenance costs for end-of-life TDM platforms. Network upgrades require them to interconnect at distant points outside their service areas, adding transport costs they don't currently pay. Less than 30% of calls from non-top carriers have STIR/SHAKEN signatures. This low adoption rate continues to hurt industry-wide fraud prevention efforts.
Emerging Threats and the Need for Full Adoption
The telecommunications world faces new threats that highlight why we need complete STIR/SHAKEN implementation for carriers of all sizes. Bad actors exploit vulnerabilities created by partial adoption as technology advances and new attack methods emerge.
AI Voice Cloning and Deepfake Robocalls
AI-generated voice cloning poses a major challenge to caller identity verification. The FCC unanimously ruled in early 2024 that AI-generated voices count as "artificial" under the Telephone Consumer Protection Act. This ruling made voice cloning technology used in robocall scams illegal immediately. The decision came after a significant incident where deepfake robocalls used President Biden's voice to target New Hampshire voters before the 2024 presidential primary.
The FCC took swift action and fined the responsible political consultant $6 million. They also imposed a $2 million fine on voice provider Lingo Telecom for apparent STIR/SHAKEN violations that enabled these fraudulent calls. Lingo had applied A-level STIR/SHAKEN attestation to these calls without proper caller ID verification, which made other providers less likely to flag them.
Branded Calling Requires Verified Caller Identity
Reliable call authentication must support branded calling features to ensure security. These features could actually increase scam effectiveness without proper verification. TransUnion warns that "The worst possible scenario would be one where unauthenticated calls show fancy logos and provide consumers all the information to make them believe those calls are coming from a particular bank, healthcare or government institution they know and trust".
The STIR/SHAKEN framework's call authentication information needs tight integration with rich call content to build genuine trust. This integration creates extra security layers that help businesses restore their customers' confidence in voice communications.
Enterprise Authentication as a Complementary Layer
Enterprise authentication adds an essential layer to STIR/SHAKEN implementation. Industry research shows that "Enterprise authentication complements STIR/SHAKEN and broader robocall mitigation efforts by strengthening the authentication and verification process".
This approach protects brand reputation and addresses spoofed calls that harm customer experience. Rich Call Data (RCD) managed by enterprises and transmitted through STIR/SHAKEN offers authenticated, current, and brand-compliant caller information, unlike traditional CNAM services.
Protect Every Call—See Tendril in Action
Major and smaller carriers show a stark difference in their STIR/SHAKEN implementation, creating most important challenges for the telecommunications industry. Major carriers have reached impressive compliance rates with 86% of traffic properly signed, yet smaller providers don't deal very well with implementation, showing just 21% signed calls in 2023.
Your call's protection now heavily depends on which carriers handle them, creating a two-tiered security system.
The STIR/SHAKEN framework has proven it can choke off illegal robocalls—but only when every link in the carrier chain signs traffic the same way. Until low‑tier providers overcome TDM hang‑ups, SIP‑peering gaps, and tight CapEx budgets, fraudsters will keep slipping through the cracks with AI‑powered spoofs and brand‑impersonation scams.
Industry regulators can enforce, but they can’t upgrade networks on a carrier’s behalf. That’s where nimble technology partners come in.
Our human‑initiated, agent‑assisted dialling platform layers compliant call‑signing, real‑time DNC checks, and full‑session recordings onto any stack—so every outbound call you place (or transit) strengthens, rather than weakens, the STIR/SHAKEN ecosystem.
Want to see how quick, cost‑light compliance can look? Book a 15‑minute demo and watch a live Tendril agent trigger a fully authenticated call—no ATDS risk, no spoofed caller‑ID, just verified conversations that convert.

FAQs
Q1. Has STIR/SHAKEN been effective in reducing robocalls? While STIR/SHAKEN has made progress, its effectiveness varies. Major carriers have high compliance rates, but smaller providers lag behind, creating security gaps. The framework has helped reduce unwanted calls, but full implementation across all carriers is still needed for maximum effectiveness.
Q2. Why are some carriers struggling to implement STIR/SHAKEN? Many smaller carriers face technical and financial challenges in implementing STIR/SHAKEN. Legacy systems, lack of SIP peering, and the costs associated with upgrading infrastructure are significant barriers for low-tier providers.
Q3. Can STIR/SHAKEN prevent all types of call spoofing? STIR/SHAKEN doesn't prevent all spoofing, but it makes calls traceable to their origin. It's designed to authenticate caller ID information, making it easier to identify and trace fraudulent calls, though some vulnerabilities still exist.
Q4. How does STIR/SHAKEN impact emerging threats like AI voice cloning? While STIR/SHAKEN wasn't specifically designed for AI-based threats, it provides a foundation for authenticating calls. This can help combat emerging threats like deepfake robocalls by making it easier to trace the origin of fraudulent calls using AI voice cloning.
Q5. What improvements are needed to make STIR/SHAKEN more effective? To improve STIR/SHAKEN's effectiveness, there needs to be wider adoption across all carrier tiers, especially among smaller providers. Additionally, better integration with other security measures, such as enterprise authentication and branded calling features, can enhance overall call authentication and security.
Comments