Well, you need to generate some sort of key that can't easily be replicated.
For example, you might take the user's email address, and splice in some random word of your choosing, eg:
You could use 'specialkey' or anything you like, but it's important you use the same value every time.
You would then run the above string (email@example.com) through the md5 function, and this will generate a key. Then when you email the user, you would include a link to a script, and pass two values, email and key:
firstname.lastname@example.org&key=(the md5 string)
(Tip: Make sure you run the email address through the urlencode() function before using it in the url).
In the validateuser.php script, you would take the incoming $_GET value of email (which in this case is email@example.com), (Tip: If you used the urlencode() function on the email address, you'll need to use urldecode() to get it back to its proper lettering) and you would again splice your specialkey in to the email address, and run it through the md5 function.
You then check to see if this value matches the incoming $_GET value of key.
If they match, then you can validate the user's registration.