As best I can tell, there are reasonable approaches
- If the impact is small (duplicate email addresses are rare, recovery is cheap), then let the client layer suffice.
- If the data that you need to be unique is stable, then you can use that data as the seed for your identifier, and then you just need to prevent duplicates. People often change email addresses, so that approach is probably out.
- If your system of record has good set validation facilities (for instance, a relational database); then you can take the uniqueness constraint out of the domain model and let the system of record provide it instead.
- If all else fails, you can create an aggregate in your domain model that is responsible for maintaining the uniqueness constraint. This might cascade through your model (if the user entity you are creating isn't part of this aggregate, then you still have consistency challenges, but you have more control?)
I haven't yet seen any discussion of advanced approaches when the system of record is an event store. The closest I've seen asks the question "are you sure you are modeling the right thing?"
https://groups.google.com/forum/#!searchin/event-store/set$20validation/event-store/o_Y2exIxNZM/vZzuVld23lwJ
Beyond that, I'm super suspicious of this question; what is your domain that you are doing email/password? Reality check: who are your domain experts? If you have been talking to a bunch of security experts, using that ubiquitous language, great. Otherwise, I question whether you are packing the right stuff into your domain model.
(Riddle: what business rules in your domain depend upon User.email ? )