The validation record doesn't have an email address in it.
When we change the user's email address we create a validation record.
So, with the re-use, the following would work:
1) Set your email address to real.address@site.com, a validation email
is sent.
2) Don't click it! Instead, go back and change your email address to
fake.address@fakeyfake.com, another validation email is sent (but
bounces).
3) Click on the link in the first email. Ta-dah! You've "validated"
fake.address@fakeyfake.com!!
So: generate a new validation code every time we're asked to create
one for the user.
Right? Right?