We don't do that. It just another barrier to entry. Hopefully you do it because it's necessary for the product and not because you want to have a validated e-mail.
Consider someone signing up with my email address: foo@bar.com. Now I'm not going to be able to use that email address, because it is already taken. Worse, if messages to that account, such as invitations, the attacker can accept them, since they typically see the invitations on the site in addition to it being sent to the email address.
As the legit user, I might see the invites, but won't be able to log in at all. Worse things can happen: once the attacker signs up, they could make this email address secondary and add another, primary address so that they see all of the messages.
Well, you could do an opt-out service -- send an e-mail that says "click here if this isn't you"
Or use something a simple screenname for authentication (e.g. the e-mail is just for lost passwords, so if they don't provide a valid e-mail, it's their loss).
Or use something like OpenID or Passport (the identity provider might need to validate an e-mail address but you don't have to).
Or build a site that needs no authentication to begin with -- e.g. a search engine.
