10DLC OTP SMS USA: Complete Guide to A2P 10DLC for Authentication in 2026

If you send SMS one-time passcodes to US mobile users in 2026, your traffic runs on the 10DLC framework, whether you know it or not. 10DLC, short for 10-Digit Long Code, is the regulated A2P SMS standard that Verizon, AT&T, T-Mobile, and US Cellular enforce for every commercial text sent to a US phone number. Unregistered traffic gets filtered, throttled, or blocked outright. Registered 10DLC traffic, by contrast, delivers at 99 percent plus with full carrier support.

This guide explains how 10DLC works, why it became mandatory, how to register through The Campaign Registry, what throughput you can expect, how authentication campaigns differ from marketing campaigns, and how to skip the 2 to 6 week registration wait using pre-approved 10DLC routes. For an end-to-end view of the US OTP landscape, see our SMS OTP Service USA hub. For integration details, see the Phone Number Verification API page.

What is 10DLC?

10DLC is a US-specific A2P SMS framework that lets businesses send commercial text messages from registered, 10-digit long-code phone numbers (the same format as a regular mobile number). It was introduced jointly by the major US wireless carriers in 2020 and became fully enforced in 2021 to address two problems: spam abuse of long codes and the rising cost and complexity of short codes for legitimate businesses.

Before 10DLC, businesses had three options: short codes (expensive, hard to provision, took 8 to 12 weeks), toll-free SMS (cheap but limited features), or unregistered long codes (free but throttled at carrier level). 10DLC bridges this gap: registered, vetted, carrier-approved long codes with predictable throughput, transparent pricing, and full feature support including OTP delivery.

The framework is administered by The Campaign Registry (TCR), an industry-backed entity that handles brand and campaign registration. Each US carrier vets registered campaigns independently and assigns throughput limits based on Trust Score, vetting tier, and use case.

Why 10DLC is mandatory for OTP SMS in the USA

Three pressures pushed 10DLC from optional to required:

Spam abuse of long codes

‍Pre-2020, anyone could send SMS from a long code with no carrier verification. Spammers exploited this for unsolicited marketing, phishing, and fraud. Carriers responded with aggressive filtering, which collateral-damaged legitimate business traffic, including OTP. 10DLC introduced verifiable identity at the brand and campaign level.

STIR/SHAKEN parallels for SMS

‍The FCC's robocall reforms drove carriers to extend similar verification logic to SMS. 10DLC is the SMS equivalent: every commercial message can be traced back to a verified brand and approved use case.

Carrier revenue protection

‍Carriers historically subsidized A2P long code traffic. 10DLC introduced surcharges that align pricing with actual carrier cost while funding the vetting infrastructure.

For OTP traffic specifically, the consequence of skipping 10DLC is severe. Unregistered OTP messages to Verizon, AT&T, T-Mobile, or US Cellular numbers face delivery failure rates of 20 to 60 percent, with many messages silently dropped. For an authentication flow where every dropped OTP means a failed signup or login, this is unworkable. Compliant 10DLC OTP delivery is the baseline, not an upgrade.

How 10DLC registration works

Registration happens in four stages through The Campaign Registry.

Stage 1: Brand registration

You submit your legal business identity to TCR: corporate name, EIN or DUNS, address, website, vertical, and authorized representative contact. TCR runs an automated check against business registries (Dun & Bradstreet, public filings) and assigns a Trust Score from 0 to 100. Higher Trust Scores unlock higher throughput.

Three brand types matter:

• Standard Brand: EIN-verified US business. Default for most commercial OTP senders. Trust Score typically 50 to 80.
• Low Volume Brand: Lighter verification, capped at lower throughput, suitable for low-volume use cases (under 2,000 messages per day per campaign).
• Sole Proprietor Brand: Limited to non-EIN small businesses with much stricter throughput limits.

For OTP at meaningful scale, you almost always want Standard Brand status. Vetting can be enhanced through optional third-party vetting (typically via Aegis or WMC), which lifts Trust Score and unlocks higher throughput on T-Mobile in particular.

Stage 2: Campaign registration

Once your brand is approved, you submit one or more campaigns. A campaign defines a specific use case and message content type. For OTP traffic, the use case is Account Notification - 2FA (Two-Factor Authentication).

Campaign submission requires: use case, sample message content (with OTP placeholder), opt-in description (how users consented), opt-out language, help/support details, monthly volume estimate, and number-pool size. TCR reviews the campaign for completeness; carriers then independently approve or request changes.

Stage 3: Carrier review

Each carrier vets campaigns separately. Verizon, AT&T, and T-Mobile each have their own review processes with different turnaround times:

• T-Mobile: 1 to 3 business days for most campaigns.
• Verizon: 3 to 10 business days. Most thorough review.
• AT&T: 5 to 14 business days. Often the longest.
• US Cellular: Typically aligns with AT&T review timeline.

Each carrier sets per-campaign throughput (messages per minute) based on Trust Score and campaign type. For 2FA campaigns with a Standard Brand at default Trust Score, expect approximately 4,500 to 6,000 messages per minute on T-Mobile, 1,500 to 3,000 on Verizon, and 1,200 to 2,400 on AT&T. Enhanced vetting and Tier 1 Trust Scores can push T-Mobile throughput to 9,000+ messages per minute.

Stage 4: Number provisioning

Once the campaign is approved, you provision 10DLC long-code numbers and bind them to the campaign. Numbers can be a single dedicated long code or a pool of numbers (helpful for high-volume OTP traffic to spread load and improve deliverability). Provisioning through an A2P provider takes seconds once campaign approval is in place.

10DLC fees and pricing

Three layers of cost apply to 10DLC OTP traffic:

Registration fees (one-time and recurring)

‍Brand registration typically costs $4 to $40 depending on type. Campaign registration costs $10 per month per campaign for low-volume use cases, and $10 to $15 per month for Standard campaigns. Optional third-party vetting costs $40 to $95 one-time per brand.

Carrier pass-through fees

‍Each carrier charges per-message fees on top of the SMS rate: T-Mobile applies $0.002 to $0.003 per message; AT&T applies similar surcharges; Verizon applies its own per-message and per-month campaign fees. For high-volume OTP, these add up quickly.

A2P provider per-message rate

‍Your SMS aggregator (Twilio, Bandwidth, Sinch, Message Central VerifyNow, etc.) charges per SMS sent. US 10DLC rates for OTP typically run $0.0075 to $0.012 per message including carrier surcharges.

For a detailed cost breakdown across volume tiers, see our SMS OTP Pricing USA guide.

Throughput limits explained

10DLC throughput is set per carrier, per campaign, and per second. The headline number is messages per second (MPS) or messages per minute (MPM). For OTP traffic at scale, throughput planning matters because OTP arrivals are bursty (login peaks, signup spikes during marketing campaigns).

Sample throughput for a Standard Brand with a 2FA campaign at default Trust Score:

• T-Mobile: 75 MPS (4,500 MPM)
• Verizon: 25 to 50 MPS
• AT&T: 20 to 40 MPS
• US Cellular: 10 to 20 MPS

If your peak OTP demand exceeds these limits, you have three options: (1) enhance brand vetting to unlock higher tiers, (2) split traffic across multiple campaigns (rarely cost-effective for 2FA), or (3) use a number pool so multiple long codes serve the same campaign. The third approach is the most common for OTP at scale.

10DLC vs Toll-Free vs Short Code for OTP

Feature10DLCToll-Free SMSShort CodeNumber format10-digit long code+1 8XX number5-6 digit short codeSetup time2-6 weeks (none with pre-approved routes)1-3 days verification8-12 weeksThroughput4,500-9,000 MPM (T-Mo Tier 1)1,800 MPM40,000+ MPMPer-message cost$0.0075-$0.012$0.015-$0.020$0.0050-$0.0075 + monthly leaseMonthly lease$10-$15 per campaign$2 per number$500-$1,500 per codeBest forOTP, transactional, mid to high volumeOTP, transactional, low to mid volumeMassive scale OTP and marketingCarrier-verified identityYes (TCR brand)Yes (TFV verified)Yes (CTIA vetted)

For most US OTP senders, 10DLC offers the best balance of cost, throughput, and time-to-launch. Short codes only make sense at the very highest scales (millions of OTP per day). Toll-free SMS is a viable fallback for lower volumes or international-leaning senders. We cover all three formats in depth in our A2P SMS OTP USA guide.

10DLC authentication campaign rules

OTP traffic must be registered under an Account Notification - 2FA campaign type. The Campaign Registry and carriers enforce specific content rules for these campaigns:

• OTP code must be clearly transactional. Messages must explain what the code is for (login, verification, password reset). A bare numeric code without context can be flagged.
• No marketing or upsell in the same message. Combining OTP delivery with promotional content ("Your code is 12345. Get 20 percent off your next order") violates the 2FA campaign rules and can trigger account suspension.
• Opt-out language not required in transactional OTP. Unlike marketing 10DLC traffic, pure transactional 2FA messages do not require STOP/HELP keyword handling per CTIA guidelines, though most senders include HELP responses as a best practice.
• Brand name must appear. Messages must identify the sender clearly so users can recognize legitimate codes versus phishing attempts.
• Expiry should be stated. Industry norm: code expires in 5 to 10 minutes. State this in the message.

Sample compliant OTP SMS: "YourBrand: Your verification code is 482910. It expires in 10 minutes. Do not share this code with anyone."

For full content rules and TCPA implications, see our TCPA-Compliant SMS OTP API guide and the CTIA Messaging Principles and Best Practices.

How Trust Score affects your OTP throughput

Trust Score is the single biggest lever for OTP senders who need volume. T-Mobile in particular tiers throughput by Trust Score:

• Low Trust Score (0-39): Severely throttled, often under 30 MPS on T-Mobile.
• Medium Trust Score (40-69): Standard throughput, around 75 MPS on T-Mobile for 2FA.
• High Trust Score (70-100): Tier 1 unlocked, up to 150 MPS on T-Mobile.

Three actions push Trust Score higher: (1) provide a complete and accurate brand profile in TCR, including a clean public-facing website and matching legal registration, (2) opt into third-party vetting through Aegis or WMC at $40 to $95 one-time, (3) maintain clean traffic history (low spam complaint rate, low opt-out rate) over time.

The pre-approved 10DLC shortcut: under 5 minutes to your first OTP

The standard 10DLC registration path takes 2 to 6 weeks. For most US businesses launching a new product or upgrading authentication, that wait is unacceptable. The alternative: use an A2P provider that operates its own pre-approved 10DLC routes and sender IDs.

Message Central VerifyNow USA maintains an inventory of pre-registered Standard Brands and approved 2FA campaigns on a managed number pool. New customers can:

1. Sign up for VerifyNow USA with company verification details (2 to 3 minutes).
2. Get assigned a slot on a pre-approved 10DLC campaign matching their use case.
3. Send their first compliant OTP SMS within minutes through the verification API.

The catch is throughput: pre-approved shared campaigns are typically suited for low to mid volume OTP (under 100,000 SMS per day per customer). Above that, you may want to register your own dedicated brand and campaign through VerifyNow over a few weeks for higher dedicated throughput. Either way, you are not blocked from launching while you wait.

Common 10DLC mistakes that delay OTP launches

• Brand-name mismatch. If your TCR brand name does not exactly match the legal entity on file with the IRS, vetting fails. Submit the exact legal name including LLC, Inc., or Corp.
• Vague campaign descriptions. "Send messages to users" is rejected. Carriers want specifics: "Send 2FA OTP codes to users completing login on consumer banking app."
• Missing opt-in description. Even though pure transactional OTP does not require marketing-style consent, the campaign submission still needs a clear opt-in description (typically the moment the user enters their phone number during signup or login).
• Single-campaign overload. Mixing 2FA with marketing under one campaign causes throughput penalties and risks suspension. Always isolate authentication traffic in its own campaign.
• Skipping enhanced vetting at scale. If you plan to send more than 100,000 OTP per day on T-Mobile, the $40 to $95 vetting cost pays back within days through unlocked throughput.

Monitoring 10DLC OTP traffic

Once your campaign is live, three metrics matter:

• Delivery rate per carrier. Should sit at 99 percent plus on all four major carriers. Drops below 97 percent indicate filtering issues, typically content-related or Trust Score related.
• Opt-out rate. For OTP, this should be near zero. If users are responding STOP, your message is being misclassified as marketing or your phone-collection consent is unclear.
• Spam complaint rate. Tracked by carriers and TCR. High complaint rate degrades Trust Score, which throttles future traffic.

VerifyNow exposes per-carrier delivery and complaint metrics in real time. Issues are flagged before they degrade Trust Score irreversibly.

Frequently asked questions

Can I use 10DLC for international OTP from US numbers?

No. 10DLC is a US-only framework. Sending from a US 10DLC number to a non-US destination defeats the purpose and runs into separate international SMS rules. For global OTP, use a multi-channel verification API like Phone Number Verification API that routes per destination country.

What is the difference between A2P and P2P 10DLC?

P2P (person-to-person) traffic is human-to-human conversation from a long code. A2P (application-to-person) is automated, including OTP. 10DLC registration applies only to A2P. Carriers filter unregistered traffic that looks A2P based on volume and content patterns even if you intended it as P2P.

Do I need to renew 10DLC registration?

Brand registration is one-time with annual reverification. Campaign registration recurs monthly via subscription fees. Carrier-level approvals are persistent unless you change campaign content significantly.

Can I switch A2P providers without re-registering?

Your TCR brand is portable, but campaigns and number assignments are typically provider-specific. Switching providers usually means re-registering campaigns with the new provider. Message Central handles the migration end-to-end for businesses moving from Twilio, Bandwidth, or other US A2P providers.

What happens if my Trust Score drops?

Throughput is reduced. Severe drops (high spam complaint rates, content violations) can result in carrier suspension. Recovery requires cleaning traffic patterns and waiting for Trust Score to rebuild over weeks.

Start sending compliant 10DLC OTP today

10DLC is non-negotiable for US OTP traffic in 2026, but the 2 to 6 week registration timeline does not have to block your launch. VerifyNow USA operates pre-approved 10DLC routes and sender IDs so new customers can send compliant OTP SMS in under 5 minutes, with the option to upgrade to a dedicated brand and campaign as volume grows.

Free test credits, no credit card required. For deeper context on the US OTP ecosystem, see our SMS OTP Service USA hub, the TCPA Compliance guide, and the best SMS OTP providers comparison.