Thanks for all your comments. DrTandem1 I'm stripping newlines, CC/BCC/Content Type headers from the inputted text so got that part covered, but need some clarification on your first suggestion. When you say check the email domain, do you mean the domain of the inputted email address?

Keimos my purpose is not to use somebody else's tool to create a contact form, I want to secure my own script so I fully understand how it works. As I said in the original post, please dont just suggest I use a secure vesion of formmail.

Thanks for your time everybody, it's really appreciated.