Since January 1, 2026, the French Number Authentication Mechanism (MAN) requires operators to reject unauthenticated calls. For IT leaders and technical managers, understanding and implementing STIR/SHAKEN has become an operational necessity. This technical guide details the concrete implementation steps.
STIR/SHAKEN and MAN: Understanding the Architecture
STIR/SHAKEN (Secure Telephone Identity Revisited / Signature-based Handling of Asserted information using toKENs) is the international call authentication protocol. France has developed its own implementation called MAN, compliant with ARCEP specifications.
The principle is simple: each outgoing call is cryptographically signed by the originating operator, allowing the receiving operator to verify that the caller ID has not been spoofed.
Technical Components
- STI-CA (Certificate Authority): the certification authority that issues certificates to authorized operators
- STI-PA (Policy Administrator): manages policies and the list of accredited operators
- SPC Certificate: Service Provider Code, unique operator identifier
- PASSporT: Personal Assertion Token, the signed token added to SIP headers
The 3 Attestation Levels: A, B, and C
Each call receives an attestation level indicating the operator's degree of confidence in the caller's identity:
Attestation A (Full) — The Standard to Aim For
The operator certifies that it:
- Has authenticated the customer's identity (complete KYC)
- Has verified the customer is authorized to use this number
- Is responsible for originating the call on the network
Impact: Calls with A attestation benefit from a "Verified Call" indicator on some phones and are rarely blocked by spam filters.
Attestation B (Partial) — Gray Zone
The operator knows the customer but has not verified their right to use the presented number. Typical for companies using numbers via SIP trunk without prior declaration.
Impact: No trust indicator, moderate filtering risk.
Attestation C (Gateway) — Avoid at All Costs
The operator cannot identify the call originator. This applies to calls transiting through unauthenticated international gateways.
Impact: Very high probability of blocking or "Spam Likely" display. Since January 2026, ARCEP requires masking of unauthenticated mobile numbers from abroad.
Technical Implementation: Steps for IT Leaders
Step 1: Audit Your Phone Infrastructure
Before any implementation, map your architecture:
- Trunk type: Direct SIP, ISDN (to migrate), or UCaaS (Teams, Zoom)
- IPBX: Asterisk, FreePBX, 3CX, Avaya, Cisco — verify STIR/SHAKEN compatibility
- Operator: Confirm MAN support and ability to attest your numbers at level A
- Numbers used: List all CLIs (Caller IDs) used for outgoing calls
Step 2: Number Declaration with Your Operator
To obtain A attestation, you must provide your operator with:
- Proof of ownership or allocation of numbers (invoices, contracts)
- Complete list of numbers to authenticate
- Contractual commitment on compliant use of numbers
Average timeline: 2 to 4 weeks for administrative validation.
Step 3: Technical Configuration (Asterisk Example)
For IPBX systems natively supporting STIR/SHAKEN (Asterisk 18+, recent FreePBX), configuration involves:
; stir_shaken.conf
[attestation]
global_disable = no
private_key_file = /etc/asterisk/keys/stir_private.pem
public_cert_url = https://certs.operator.com/12345.pem
[tn_0140000000]
type = tn
private_key_file = /etc/asterisk/keys/stir_private.pem
public_cert_url = https://certs.operator.com/12345.pem
attest_level = AEach number (TN - Telephone Number) must be configured with:
- The private certificate provided by the operator
- The public certificate URL for verification
- The authorized attestation level (usually A)
Step 4: Incoming Call Verification
If you receive calls, also configure verification:
[verification]
global_disable = no
load_system_certs = yes
ca_file = /etc/asterisk/keys/ca-bundle.crt
max_iat_age = 15The max_iat_age parameter (in seconds) defines tolerance on signature timestamp. 15 seconds is the recommended value.
Special Cases and Solutions
UCaaS (Microsoft Teams, Zoom Phone)
If you use Teams or Zoom for telephony, STIR/SHAKEN management is generally transparent:
- Teams Direct Routing: your SBC must support STIR/SHAKEN
- Operator Connect: the operator manages authentication
- Zoom Phone: attestation managed by Zoom for allocated numbers
Check with your UCaaS provider that your numbers are properly registered for A attestation.
Multi-Carrier and Number Portability
If you use multiple carriers or have ported numbers:
- Each carrier should only authenticate numbers it manages
- Ported numbers must be re-declared with the new carrier
- Watch for propagation delays (24-72h after porting)
Outsourced Call Centers
If you outsource outbound calls:
- Contractually require A attestation from your provider
- Provide them with proof of number allocation
- Regularly monitor the actual attestation level (monitoring tools)
IT Leader Checklist: 10 Control Points
- ✅ All SIP trunks are STIR/SHAKEN compatible
- ✅ Operator confirms level A attestation in writing
- ✅ Complete CLI list declared to operator
- ✅ Certificates and private keys securely stored
- ✅ IPBX configuration tested and validated
- ✅ Incoming call verification enabled
- ✅ Attestation level monitoring in place
- ✅ Certificate renewal procedure documented
- ✅ External providers audited for compliance
- ✅ Continuity plan if attestation degrades
Impact on Phone Reputation
Proper STIR/SHAKEN implementation isn't just a regulatory requirement — it's a competitive advantage:
- +15 to 25% answer rate for calls with "Verified" indicator
- Reduced spam reports: recipients trust verified calls more
- Complete traceability: in case of issues, call origin is provable
Conversely, poor implementation (B or C attestation) can ruin your outbound call campaigns, with blocking rates potentially reaching 60-80%.
Resources and Tools
- ARCEP - Numbering Plan Decision (December 2025)
- FFTélécoms - MAN Calendar
- Asterisk STIR/SHAKEN Documentation
To monitor your number reputation in real-time and detect attestation issues, check out the HUHU API which allows integrating monitoring directly into your supervision tools.
If your calls still aren't answered despite proper technical configuration, consult our guide on other reasons for unanswered calls — spam isn't the only factor.
