Configuring STIR/SHAKEN Attestation for Outbound Caller ID Integrity

How-To-Articles
1

Configuring STIR/SHAKEN Attestation for Outbound Caller ID Integrity

What This Guide Covers

  • Implementing STIR/SHAKEN protocols within Genesys Cloud BYOC to ensure outbound calls are not flagged as “Scam Likely” or “Spam.”
  • Understanding the three levels of Attestation (A, B, and C) and how to qualify for “Full Attestation.”
  • Configuring SIP headers (Identity) and coordinating with carriers to maintain caller ID reputation.

Prerequisites, Roles & Licensing

  • Licensing Tier: Genesys Cloud CX 1, 2, or 3.
  • Permissions: Telephony > Trunk > Edit, Telephony > DID > View.
  • Requirements: A BYOC Cloud or BYOC Premise SIP trunk with a carrier that supports STIR/SHAKEN (e.g., Bandwidth, Lumen, Verizon).
  • Compliance: Your organization must be registered with the Policy Administrator (STI-PA) or have a verified relationship with a signing carrier.

The Implementation Deep-Dive

1. Understanding Attestation Levels in the Contact Center

STIR/SHAKEN (Secure Telephone Identity Revisited / Signature-based Handling of Asserted information using toKENs) is a framework designed to verify that the caller ID displayed on a phone is legitimate.

  • Attestation A (Full): The carrier knows the customer AND the customer has the right to use the phone number. This is the gold standard.
  • Attestation B (Partial): The carrier knows the customer but doesn’t verify they own the specific number (common when spoofing local IDs for a remote office).
  • Attestation C (Gateway): The call originated outside the network (e.g., an international call) and is just being passed through.
  • The Trap: “The Spam Filter Death Spiral.” If your calls are consistently sent with Attestation C, major US carriers (AT&T, Verizon, T-Mobile) will automatically label them as “Spam” or block them entirely. A “Principal Architect” ensures all outbound DIDs are verified in the Genesys Cloud Number Management UI to enable the carrier to sign the call with Attestation A.

2. Configuring SIP Trunks for STIR/SHAKEN Pass-Through

Genesys Cloud itself does not “sign” the calls; it provides the necessary metadata to your BYOC Carrier who then performs the signing.

  • The Process: In Admin > Telephony > Trunks, navigate to your Outbound SIP Trunk. Under External SIP Header Control, ensure that the P-Asserted-Identity (PAI) or Remote-Party-ID (RPID) is correctly mapped to the authenticated DID.
  • Header Mapping: Your carrier requires a verified DID in the From header.
  • The Trap: “Identity Header Striping.” If your local SBC (for BYOC Premise) or a downstream middleware strips the Identity header or the PAI header before it reaches the carrier’s gateway, the carrier will default to Attestation C. Always use a SIP trace to verify that the Identity token is present in the INVITE message leaving your Edge.

3. Coordinating with Carriers for Branded Calling

STIR/SHAKEN is only the first half of caller ID integrity. To truly protect your reputation, you should implement Branded Calling (e.g., First Orion, Hiya, or Neustar).

  • Implementation: These vendors use the STIR/SHAKEN “A” attestation as a prerequisite. Once verified, they display your Company Name and Logo on the recipient’s smartphone instead of just the number.
  • The Trap: “The Wrongful Blocking Loop.” Even with Attestation A, if your agents have poor “Wrap-up” habits and make too many short-duration calls (under 15 seconds), carrier algorithms will flag you as a “Robodialer.” You must monitor your Average Call Duration by campaign and ensure it stays above the industry threshold for legitimate business traffic.

Validation, Edge Cases & Troubleshooting

Edge Case 1: Attestation Drops to “C” for Transferred Calls

  • The Failure Condition: A call is transferred from an external partner to your Genesys Cloud flow and then back out to a carrier; the second leg has Attestation C.
  • The Root Cause: The original Identity token from the first leg cannot be re-used for the second leg. This is known as the “STIR/SHAKEN Diversion” problem.
  • The Solution: Implement the Diversion or History-Info SIP headers in your trunk configuration. This tells the downstream carrier that the call is being redirected, allowing them to maintain the original attestation context.

Edge Case 2: International Call Attestation

  • The Failure Condition: Calls to the UK or Australia are not getting the same “Verified” status as US calls.
  • The Root Cause: STIR/SHAKEN is currently a US-centric (FCC) mandate. Other countries use different frameworks (like the UK’s Ofcom CLI guidelines).
  • The Solution: Do not attempt to send US-style Identity tokens to international carriers. Instead, ensure your E.164 formatting is perfect and your carrier has authorized your DIDs for those specific regions to avoid “Carrier Filtering.”

Official References