As bpreit pointed out, sending the "200 OK" response is what stops the IPN retries. The verification postback is a red herring; you can do it zero times, one time, or a hundred times, and if you don't send a "200 OK" response to the IPN, it will be retried.
So the correct strategy is:
1. Receive an IPN from Paypal.
2. Post it back to Paypal.
3. Make sure the response is VERIFIED.
4. Idempotently handle the payment.
5. Send "200 OK" response.
Step 4 needs to be idempotent in case your server dies or times out before sending the 200 OK response, but there's no way to avoid this without potentially losing messages. (I can't remember what the theorem is called, but in a lossy system it's impossible to avoid both messages being lost and messages being duplicated.)
Paypal has 99 problems, but its IPN processing isn't one.
So the correct strategy is: 1. Receive an IPN from Paypal. 2. Post it back to Paypal. 3. Make sure the response is VERIFIED. 4. Idempotently handle the payment. 5. Send "200 OK" response.
Step 4 needs to be idempotent in case your server dies or times out before sending the 200 OK response, but there's no way to avoid this without potentially losing messages. (I can't remember what the theorem is called, but in a lossy system it's impossible to avoid both messages being lost and messages being duplicated.)
Paypal has 99 problems, but its IPN processing isn't one.