Seems kind of ackward that i need to fish this kind of absolutely relevant information up from a forum post.
If this is the only way of validating incoming callbacks i would expect this to be officially documented.
As an added layer of security have you considered to make available an API call that returns a list of valid callback IP sources?
This would make it much more convenient to dynamically maintain firewall rules on top of the signature headers to be implemented.
If such a call/response exists already, my apologies, the documentation is kind of hard to get into.
What is the progress on this?