if you sign and encrypt emails, you don't have to verify the keys, that's done automatically:
John Smith wants to send Jane Doe an email, so he looks up her public key at an online key repositoy.
He uses her public key to encrypt the email and his private key to sign it.
She receives the email and decrypts it with her private key, validating his signature using John's public key she looked up in the key repository. If her public key (used by John to encrypt the email) had been spoofed in the repository, she wouldn't be able to decrypt the email with her private key.
You're almost right, but you're wrong about the lack of need for verification. The fact that she can decrypt the email which was encrypted with her public key obtained from a keyserver simply means she is in possession of the corresponding private key, not that she really is [the right] "Jane Doe" ... you might be beginning a correspondence with a spook. To verify that she is the person she is supposed to be (and not some Black Ops team MITM'ing her), the public keys must be verified, either by exchanging them in person in the first place, or by reading out key fingerprints over the phone if you would recognise her voice.
If John and Jane both get each other's public keys from a repository, and fail to verify them, then both keys may be bogus keys uploaded by MITM Bad Guys. This was well described by Phil Zimmerman in the original PGP 2.x User Manual
This is the other part of the PGP web-of-trust concept that most geeks I know don't quite get. When I countersign your key, I'm signing it to say that you really are the person you say you are (or rather "this key really does belong to the person it claims to belong to"), and NOT you are a person who can be trusted. So I must NOT countersign your key unless/until I'm really sure it's your key - which needs the key verification step to have been performed.
Unfortunately, most IT people I know who've ever been persuaded to try PGP just merrily get busy countersigning all the public keys they acquire, whether or not they've verified them. It doesn't help that some PGP email client software insists that you only use 3rd party public keys you're certain of, and won't let you pick an unverified key - so users will often just sign the 3rd party key to say they're certain of it so they can click 'Send' on the email.
Relatedly, I often suspect my colleagues don't even read the question you get asked when signing a key, which says "How strongly do you believe this person knows how to use PGP properly ?"
It is actually quite tricky to use PGP carefully enough to gain the full web-of-trust benefit - although I agree you can do what many folks do, and just ignore all that key-signing stuff, and wing it :)
Sigh ...