Firstly you need to add strong captcha to your form.
Then check this link for checking of email address.
http://www.webdigi.co.uk/blog/2009/how-to-check-if-an-email-address-exists-without-sending-an-email/smtpvalidateclassphp/

Users can't sign up your site without activating their account via the email address they supplied. SO you can't send a message if you haven't activated your account.
Users can decide whether to accept emails directly from your site. You can't send a message to an user who doesn't want to accept them.
All emails should have 'from field' based on your domain - NOT the address of the sender (user)). You are responsible for formmail.

Keep a log of messages sent - sender_id | recipient_id | timestamp - don't keep copy of content, unless you tell everybody that a copy will be kept. In the event of a complaint, you can check the log and ban / delete an user. Keeping copies can get heavy - especially if they contain attachments.

Use captcha YES.

Messages through the site are usually send by non registered - visitors. What they deal is not my business.

Be very careful, you could be providing malicious users with a facility to anonymously send spam. You'll get fingered for it if they provide a false email.

Depending on your site usage, you could be up to your neck in spam pushers.