Why STIR/SHAKEN Doesn't Stop Robocalls — And What Actually Does

What is STIR/SHAKEN and what does it actually do?

STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) are complementary technical protocols mandated by the FCC under the TRACED Act of 2019. Full compliance was required for all U.S. carriers by June 30, 2021, with extensions granted to small carriers until June 2023.

The protocol assigns a cryptographic attestation level to every call at the point of origination:

• A (Full Attestation): The originating carrier has verified that the caller is authorized to use the displayed phone number. This is the strongest signal.
• B (Partial Attestation): The originating carrier has verified the caller's identity but cannot confirm authorization for the specific number displayed.
• C (Gateway Attestation): The call entered the carrier's network from an external source (international gateway, VoIP provider). The carrier can verify only the point of entry, not the caller's identity or number authorization.

The critical limitation: STIR/SHAKEN only authenticates. It does not block. A call carrying C-level attestation — meaning the caller's identity is completely unverified — still rings the phone. The attestation data is available to the receiving device, but the default behavior on every major U.S. carrier is to deliver the call regardless of attestation level.

Why does STIR/SHAKEN fail to stop international robocalls?

The FCC's STIR/SHAKEN mandate applies exclusively to U.S. carriers operating under FCC jurisdiction. International calling infrastructure is not subject to the mandate. This creates a structural gap:

According to the FCC's 2026 Robocall Mitigation Database (RMD), the majority of illegal robocall traffic entering the U.S. telephone network originates from international VoIP gateways. These calls enter through gateway carriers that can assign only C-level attestation — or in many cases, pass the call with no STIR/SHAKEN signature at all.

The scammer's workflow exploits this gap directly:

1. Lease phone numbers from an offshore VoIP provider. 2. Program the outgoing Caller ID to display any desired number (neighbor spoofing, government agency impersonation). 3. Route the call through an international gateway carrier into the U.S. network. 4. The gateway carrier assigns C-level attestation (or none) because it cannot verify the caller. 5. The call reaches the recipient's phone. It rings.

No part of this chain violates any technical control imposed by STIR/SHAKEN. The protocol functions as designed — it labels the call as unverified. It does not prevent the call from connecting.

Why do legacy TDM networks bypass STIR/SHAKEN?

STIR/SHAKEN operates on IP-based signaling infrastructure (SIP). Legacy Time-Division Multiplexing (TDM) networks — the copper-wire infrastructure that still carries a significant percentage of U.S. telephone traffic, particularly in rural areas — cannot process STIR/SHAKEN certificates natively.

When a call transitions from a SIP network to a TDM network (or vice versa), the STIR/SHAKEN signature is stripped at the conversion point. The FCC acknowledged this limitation in its 2023 Further Notice of Proposed Rulemaking, noting that calls traversing mixed SIP/TDM paths lose attestation data at each protocol boundary.

For rural carriers still operating significant TDM infrastructure, this means: - Calls received over TDM trunks arrive without any STIR/SHAKEN data. - The receiving carrier cannot assign attestation because the originating signature was lost in transit. - The call is delivered as if STIR/SHAKEN did not exist.

The FCC's compliance extension for small carriers — which covered carriers with fewer than 100,000 subscriber lines — further delayed the deployment timeline for the networks most vulnerable to this gap.

What is the FCC's Robocall Mitigation Database and does it help?

The FCC's Robocall Mitigation Database (RMD) requires all voice service providers — including intermediate carriers and gateway providers — to file robocall mitigation plans. Providers that fail to file are subject to downstream blocking: other carriers may refuse to accept their traffic.

The RMD has produced measurable results. The FCC reported removing over 40 gateway providers from the RMD for non-compliance between 2023 and 2025, and directed downstream carriers to block their traffic. However, the enforcement mechanism is reactive — providers are removed after complaints and investigation, not before their traffic reaches consumers.

Additionally, the RMD does not require providers to implement STIR/SHAKEN specifically. Providers may submit alternative robocall mitigation plans using analytics-based solutions. The database ensures that every provider has a plan. It does not ensure that every plan works.

How does on-device call screening fill the STIR/SHAKEN gap?

On-device call screening operates at the endpoint — the recipient's phone — rather than at the network level. This architectural position allows it to evaluate the same STIR/SHAKEN attestation data that carriers generate, plus additional signals that network-level tools cannot access:

Callro's 26-layer Gauntlet Engine reads the STIR/SHAKEN attestation level of every incoming call in approximately ~18ms and incorporates it into a multi-factor scoring decision:

• A-level attestation (full): Call passes through immediately. The originating carrier has cryptographically verified the caller's identity and number authorization.
• B-level attestation (partial): Call is subjected to additional behavioral analysis layers — number frequency patterns, geographic consistency, and contacts safelist matching.
• C-level attestation (gateway) or no attestation: Call receives maximum scrutiny. These calls represent the highest-risk category and are the most likely to be spoofed international robocalls.

When the Gauntlet Engine's composite score exceeds the blocking threshold, the call is silently intercepted before the phone rings. If the call is confirmed spam, Callro generates a SIT tone (Special Information Tone) to signal the autodialer that the number is disconnected, triggering database removal.

This defense layer is what STIR/SHAKEN was designed to enable: a downstream consumer application that uses attestation data as one input among many to make a real-time blocking decision. The protocol provides the signal. On-device screening provides the action.

Download Callro from Google Play and activate the defense layer that STIR/SHAKEN alone cannot provide. 7-day free trial, no credit card required.

What should consumers understand about STIR/SHAKEN in 2026?

Three takeaways from the current state of STIR/SHAKEN enforcement:

1. STIR/SHAKEN is a labeling system, not a blocking system. Calls with degraded or missing attestation still ring the phone unless a downstream application acts on the signal. 2. International and legacy traffic bypasses the protocol entirely. The structural gaps in TDM networks and international gateway routing are not bugs — they are architectural limitations that will persist as long as mixed-protocol infrastructure exists. 3. On-device call screening is the complementary defense. STIR/SHAKEN provides a trust signal. An on-device application converts that signal into a blocking decision.

Callro uses STIR/SHAKEN data as one of 26 independent verification layers. Combined with behavioral analysis, contacts safelist matching, and SIT tone generation, the result is comprehensive call protection that operates entirely on the device — no cloud dependency, no data collection, no privacy compromise.

Start the 7-day free trial on Google Play. No credit card required.