Having a CAPTCHA that covers the registration process is important to protect you from bots whose sole purpose is to generate as many users as possible with the intent of using those users to post/add content on your site with links back to a site that they are trying to improve SEO on. This is only one way in which malicious users can utilize multiple accounts on a site for their own purposes.
The registration email protects your users as much as you by creating a way a means of resetting lost passwords, proving ownership, etc.
Both parts should be included when validating users. I also recommend running ip counting on new user attempts. Typically, locking after the 2nd user created is fairly safe as long as you provide a link that states why they have been prevented and a means of creating additional accounts on that ip.
None of these procedures is failsafe but together they provide a medium level of anti-spam protection. Of course, these days people defer user maintenance to social media sites like Google and Facebook.