The crucial part is the $additional_headers parameter.
This parameter can't be cleaned by the mail() function.
Note that there is a big difference between the behavior of this function on Windows systems vs. On Windows it delivers directly to an SMTP server, while on a UNIX system it uses a local command to hand off to the system's own MTA. There are two extra delivery gotchas on top of that:1) The domain in the email used in the -f option in the sendmail parameter or in the mail() extra parameters field, needs to have a valid SPF record for the domain (in DNS as a "TXT" record type for sure and add an additional "SPF" type record if possible). That's header field being used for spam checks.2) You should also use a domain key or DKIM.
It is automatically put into the message headers and _does not_ need to be included in $additional_headers.$to can either be an array or a single address contained in a string.$message should not contain any carriage return characters - only linefeeds. This is mostly unnecessary because qmail will ignore any additional To: headers injected by a malicious user.However if you have some strange mail setup it might be a problem.If you pass through using "\r\n" as a separator it may appear to work, but your email will be subtly corrupted and some middleware may break.It only works because some systems will clean up your mistake.On Windows, however, you should use "\r\n" because PHP is using SMTP in this situation, and hence the normal rules of the SMTP protocol (not the normal rules of Unix piping) apply.
Security advice: Although it is not documented, for the parameters $to and $subject the mail() function changes at least \r and \n to space.It also performs careful validation of the e-mail addresses passed to it, making it more difficult for spammers to exploit your scripts.Please note that this function differs from the mail() function in that the from address must be passed as a _separate_ argument.Bottom line, best practice is to be sure to convert any bare \n characters in the message to \r\n.* "The maximum total length of a text line including the For qmail users, I have written a function that talks directly to qmail-queue, rather than going through the sendmail wrapper used by mail().Thus it allows more direct control over the message (for example, you can adapt the function to display "undisclosed recipients" in to the To: header).The SMTP RFC 822 is VERY explicit in stating that \r\n is the ONLY acceptable line break format in the headers, though is a little vague about the message body.