Users can't sign up your site without activating their account via the email address they supplied. SO you can't send a message if you haven't activated your account. Users can decide whether to accept emails directly from your site. You can't send a message to an user who doesn't want to accept them. All emails should have 'from field' based on your domain - NOT the address of the sender (user)). You are responsible for formmail.
Keep a log of messages sent - sender_id | recipient_id | timestamp - don't keep copy of content, unless you tell everybody that a copy will be kept. In the event of a complaint, you can check the log and ban / delete an user. Keeping copies can get heavy - especially if they contain attachments.
Ok, thanks for your time. Let me tell what's my exact idea. Yes, you are right, registered users had verified their emails during the registration. Messages through the site are usually send by non registered - visitors. What they deal is not my business. My idea is to block for example email@example.com, firstname.lastname@example.org, and so on to send any kind of messages through site's send_mail.php. This guys are well known spammers, and regularly sending fake deals. Hope this gives you more details.