I generally send a link that contains the userid, and the activation key. When they visit my activation script, if I find a match, I activate them.
When they register, I'll generate maybe 32 chars of upper/lower case alphanumeric characters and set it as the activation key. At this point, you can create a field called 'activated,' or you can assume the user is not activated if they have an activation key.
uid | email | key
------------------------------------------------------------
001 | [email protected] | e09141f3f5a17fed6222fc0279b9afdf
------------------------------------------------------------
002 | [email protected] |
------------------------------------------------------------
When the user accesses the activation script, simply check for the provided key along with the provided id and if a match is found, erase the key from the user record on file (or update your boolean 'activated' field) and open the doors up.
If the provided email address doesn't exist, no loss. You can routinely remove all rows with keys after a month of inactivity.