The user object email field is considered PII, so the API will only return this information to you if you have permission from the end-user which is determined by the privacy settings.
You might want to look at Guidelines for requesting access to email address.