I'm not sure we're on the same page here. A residential ISP wouldn't have to do anything. You simply do a lookup (nslookup in command prompt is built in) which simply is a DNS lookup on example.com. That would return either a single IP but usually multiple IPs since it could return multiple IPv4 and v6 addresses (e.g. nslookup cnn.com). Those would be the allowed IP(s). The DNS lookup would have to happen when an IP not in the whitelist, tries to connect, so it could slow the connection (authentication) process down by seconds (1-3 seconds I'd guess). (It would also mean that any portscanning bots could trigger a DNS-lookup, but it's not exactly resource demanding.)
On my (home) end I would use providers like dyndns.com or similar on my router which would always update mysubdomain.dyndns.com with my current IP.
Please note that this method, which Apache calls forward-dns, is vastly different than their "Require host example.com". The latter method involves the host doing a reverse DNS lookup on the IP you're connecting from, e.g. 1.2.3.4 and checking if the reverse DNS lookup is returning example.com. For residential ISP that would never happen as it usually would be something in the neighborhood of xxxx.cust.isp.com.
I have changed the API and admin path and such but every time my ISP change my IP, I have to update the whitelists. Especially for the API as it's connecting to a web-server at home which in turn connects to an SMS API and the web-server is also doing an API call to PMavens to get the players account balance which is included in the SMS so I don't want random people accessing either APIs.
On my web-server I'm using forward-dns so I don't have to do anything for incoming web hooks from PMavens.
If I could get the same functionality in PMavens, I'd be set as the API calls to PMavens are coming from my home as well. Here dyndns.com comes to the rescue making sure my domain is always pointing to my IP.
Also, my IPs vary hugely. I've had 32.x.x.x IP, 37.x.x.x and 45.x.x.x IPs so far, so subnets wouldn't really help. I do realize that this is another corner case as most people doing API/web-hooks usually have the luxury of static IP, but here we are.