Delicious Bookmark this on Delicious Share on Facebook SlashdotSlashdot It! Digg! Digg

PHP : Function Reference : Mail Functions : mail


Send mail (PHP 4, PHP 5)
bool mail ( string to, string subject, string message [, string additional_headers [, string additional_parameters]] )

Sends an email.



Receiver, or receivers of the mail.

The formatting of this string must comply with » RFC 2822. Some examples are:,
User <>
User <>, Another User <>

Subject of the email to be sent.


This must not contain any newline characters, or the mail may not be sent properly.


Message to be sent.

Each line should be separated with a LF (\n). Lines should not be larger than 70 characters.


(Windows only) When PHP is talking to a SMTP server directly, if a full stop is found on the start of a line, it is removed. To counter-act this, replace these occurrences with a double dot.

= str_replace("\n.", "\n..", $text);

additional_headers (optional)

String to be inserted at the end of the email header.

This is typically used to add extra headers (From, Cc, and Bcc). Multiple extra headers should be separated with a CRLF (\r\n).


When sending mail, the mail must contain a From header. This can be set with the additional_headers parameter, or a default can be set in php.ini.

Failing to do this will result in an error message similar to Warning: mail(): "sendmail_from" not set in php.ini or custom "From:" header missing. The From header sets also Return-Path under Windows.


If messages are not received, try using a LF (\n) only. Some poor quality Unix mail transfer agents replace LF by CRLF automatically (which leads to doubling CR if CRLF is used). This should be a last resort, as it does not comply with » RFC 2822.

additional_parameters (optional)

The additional_parameters parameter can be used to pass an additional parameter to the program configured to use when sending mail using the sendmail_path configuration setting. For example, this can be used to set the envelope sender address when using sendmail with the -f sendmail option.

The user that the webserver runs as should be added as a trusted user to the sendmail configuration to prevent a 'X-Warning' header from being added to the message when the envelope sender (-f) is set using this method. For sendmail users, this file is /etc/mail/trusted-users.

Return Values

Returns TRUE if the mail was successfully accepted for delivery, FALSE otherwise.

It is important to note that just because the mail was accepted for delivery, it does NOT mean the mail will actually reach the intended destination.


Version Description
4.3.0 (Windows only) All custom headers (like From, Cc, Bcc and Date) are supported, and are not case-sensitive. (As custom headers are not interpreted by the MTA in the first place, but are parsed by PHP, PHP < 4.3 only supported the Cc header element and was case-sensitive).
4.2.3 The additional_parameters parameter is disabled in safe_mode and the mail() function will expose a warning message and return FALSE when used.
4.0.5 The additional_parameters parameter was added.


Example 1129. Sending mail.

Using mail() to send a simple email:

// The message
$message = "Line 1\nLine 2\nLine 3";

// In case any of our lines are larger than 70 characters, we should use wordwrap()
$message = wordwrap($message, 70);

// Send
mail('', 'My Subject', $message);

Example 1130. Sending mail with extra headers.

The addition of basic headers, telling the MUA the From and Reply-To addresses:

= '';
$subject = 'the subject';
$message = 'hello';
$headers = 'From:' . "\r\n" .
'Reply-To:' . "\r\n" .
'X-Mailer: PHP/' . phpversion();

mail($to, $subject, $message, $headers);

Example 1131. Sending mail with an additional command line parameter.

The additional_parameters parameter can be used to pass an additional parameter to the program configured to use when sending mail using the sendmail_path.

('', 'the subject', 'the message', null,

Example 1132. Sending HTML email

It is also possible to send HTML email with mail().

// multiple recipients
$to  = '' . ', '; // note the comma
$to .= '';

// subject
$subject = 'Birthday Reminders for August';

// message
$message = '
 <title>Birthday Reminders for August</title>
 <p>Here are the birthdays upcoming in August!</p>

// To send HTML mail, the Content-type header must be set
$headers  = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";

// Additional headers
$headers .= 'To: Mary <>, Kelly <>' . "\r\n";
$headers .= 'From: Birthday Reminder <>' . "\r\n";
$headers .= 'Cc:' . "\r\n";
$headers .= 'Bcc:' . "\r\n";

// Mail it
mail($to, $subject, $message, $headers);

If intending to send HTML or otherwise Complex mails, it is recommended to use the PEAR package » PEAR::Mail_Mime.



The Windows implementation of mail() differs in many ways from the Unix implementation. First, it doesn't use a local binary for composing messages but only operates on direct sockets which means a MTA is needed listening on a network socket (which can either on the localhost or a remote machine).

Second, the custom headers like From:, Cc:, Bcc: and Date: are not interpreted by the MTA in the first place, but are parsed by PHP.

As such, the to parameter should not be an address in the form of "Something <>". The mail command may not parse this properly while talking with the MTA.


Email with attachments and special types of content (e.g. HTML) can be sent using this function. This is accomplished via MIME-encoding - for more information, see this » Zend article or the » PEAR Mime Classes.


It is worth noting that the mail() function is not suitable for larger volumes of email in a loop. This function opens and closes an SMTP socket for each email, which is not very efficient.

For the sending of large amounts of email, see the » PEAR::Mail, and » PEAR::Mail_Queue packages.


The following RFCs may be useful: » RFC 1896, » RFC 2045, » RFC 2046, » RFC 2047, » RFC 2048, » RFC 2049, and » RFC 2822.

Related Examples ( Source code ) » mail

Code Examples / Notes » mail

ian chilton

\r\n after each header doesn't seem to work in some mailers (eg: Gmail) - \n seems to work ok.


[EDITOR's NOTE: Following based off of a note originally by marcelo dot maraboli at usm dot cl which has been removed.]
I had a trouble with marcelo' function, I had to add "$val == 63" condition into "if" sentence for '?' character
# From marcelo post:
function encode_iso88591($string)
 $text = '=?iso-8859-1?q?';

 for( $i = 0 ; $i < strlen($string) ; $i++ )
  $val = ord($string[$i]);
  if($val > 127 or $val == 63)
    $val = dechex($val);
    $text .= '='.$val;
      $text .= $string[$i];
 $text .= '?=';

 return $text;
and later use:
      // create email
      $msg = wordwrap($msg, 70);
      $to = "";
      $subject = encode_iso88591("hoydía caminé !!");
      $headers =    "MIME-Versin: 1.0\r\n" .
              "Content-type: text/plain; charset=ISO-8859-1; format=flowed\r\n" .
              "Content-Transfer-Encoding: 8bit\r\n" .
              "From: $from\r\n" .
              "X-Mailer: PHP" . phpversion();
      mail($to, $subject, $msg, $headers);


You may also want to take a look at email() a mail() clone with built in MTA. This is particually useful if you webhost does has dissable access to mail.
email() is avaliable here: along with a style function referance
Hope that help someone.


While trying to send attachments I ran into the problem of having the beginning part of my encoded data being cut off.
A fact that I didn't see mentioned anywhere explicitly (except maybe in the RFC, which admittedly I didn't read fully) was that two newlines are required before you start the encoded data:
Content-Transfer-Encoding: base64\n
Content-Type: application/zip; name=""\n
\n  //<--- if this newline isn't here your data will get cut off

php dot net

When sending MIME email make sure you follow the documentation with the "70" characters per may end up with missing characters...and that is really hard to track down...


When including your own custom headers try not to include a trailing \r\n at the end of the last header.  Leaving the \r\n causes an extra line-feed at the beginning of the message body, so your message will start on the second line.


Warning: It should be stated clearly that "additional_headers" (the 4th parameter)
will not only allow you to add customized mail headers.
If there is an empty line in it the mail headers will be terminated and
the mail body will start exactly at this point.
mail ("foo@bar.example", "Test", "Hi dude",
 "Bcc: someone_else@bar.example\r\n\r\nBuy V1a*ra now\r\n");
will send a mail to <foo@bar.example> and <someone_else@bar.example>
and advertise pills.
It will give spammers the chance to abuse your webserver as a spam server if you e.g.
happen not to check the values your form receives from the client and paste it
directly into "additional_headers".


Users of Mac OS X Server need to activate SMTP part of the Mailserver before this is working.
Also note that if the ISP has blocked port 25 outgoing, you run into problems. You can find more info about this in the SMTP server log in Server Admin application if you run OSX Server.


Unless I'm confused, I suspect that in the code from "rsjaffe at gmail dot com" above, "\\r" and "\\n" should actually be "\r" and "\n".


To all you guys out there having problems with mail scripts throwing back this (and you know your scripts are right!!)...
Warning: mail() [function.mail]: "sendmail_from" not set in php.ini or custom "From:" header missing in:
I had started seeing this after moving some scripts from 4.3 servers to 5.
a dirty get around is using
ini_set ("sendmail_from","");
to force the From header.
Not ideal but it works.


Tired of idiots and imbeciles who creates unsecure php-code and lets spammers abuse mail()? Try this dirty trick:
With auto_prepend, prepend this file:
// You need to install pecl-module, runkit.
// We could rename the function, but that currently makes my apache segfault, but this works :-P
runkit_function_copy ( "mail","intmail" );
runkit_function_remove( "mail" );
function mail( $to, $subject, $message, $additional_headers = null, $additional_parameters = null ) {
   $___domain = $_SERVER['SERVER_NAME'];

   $fp = fopen("/tmp/my_super_mail_logg", "a");
   fwrite( $fp, date("d.m.y H:i:s") . " " . $___domain . ": $to / $subject\n");
   fclose( $fp );
   return intmail( $to, $subject, $message, $additional_headers, $additional_parameters );
You probably shouldn't log to /tmp, or any other place as the webserver-user, see syslog-functions ;)
And of course you can manipulate the different parameters, like adding custom headers to each email (For instance; "X-From-Web: {$_SERVER['SERVER_NAME']}")..


This might be something obvious, but it gave me a lot of headache to find out:
If you use an ascii char#0 in the "string mensaje" parameter, it will truncate the message till that point, (this happened to me sending a message read from a file)
For example:
$hs_asunto="a message for you";
Will result in an email that only contains the string:
Anyway, just in case it can save someone some time...


This is NOT PHP-specific but worth mentioning on the mail() page.
Watch out for sendmail command injection on your pages which call the mail() function.
How it works: the attacker will inject SMTP into your form unless you make it real clear where the header ends. Most people simply don't add a header or a \r\n\r\n sequence to their mail header forms.
Example : a new BCC: field can be injected so that your form can be used to deliver mail to any valid address the attacker chooses.
Since the httpd server host is a trusted host your MX will probably relay without asking any questions.
Be careful with any function that accepts user input.
Hope this helps.


There was a comment that
mail("User Name <>","Subject Here",$msg,"From:");
does not work. I've always used that and never had any issues - from Linux servers. I don't see how this could be different in IE vs Firefox; I've always gotten the same result in both. Just tried it on a Windows server and got this as a bounce back:
<User Name <>:
x.x.x.x does not like recipient.
Remote host said: 550 Requested action not taken: 550 No such recipient
Giving up on x.x.x.x.
(Details changed to protect the innocent/guilty (for using a Windows server))
Took me a while to find the bounce until I used ini_set('sendmail_from', 'my@account');
So it is probably  trying to deliver to "User Name <username" instead of simply "username".


The docs are slightly confusing by talking about the additional_paramaters paramater as being able to contain 'an additional parameter' in the singular.
The additional_parameters parameter is simply a string that gets concatenated onto the command passed to sendmail, so you can put as many params in there as you like, for example ' -R hdrs'


The article mentioned below is quite good to understand the problem of header injection. However, it suggests the following as a solution: look for "\n" and "\r" inside your user input fields (especially in those used for the $header param) and, if found reject the mail.
Allthough this will probably work I still believe it is better to have a "white list" of allowed characters instead of a "black list" with forbidden characters.
If you want a user to enter his name, then allow characters only!
If you want a user to enter his email adress, then check if the entry is a valid email adress.
Doing so might automatically solve problems which you didn't think of when you created the "black list". For SMTP headers colons are needed. If you check for a valid email adress the hacker won't be able to enter colons inside that form field.
I suggest using regular expressions for those checks.
For more information about regular expressions see:


Since lines in $additional_headers must be separated by \n on Unix and \r\n on Windows, it might be useful to use the PHP_EOL constant which contains the correct value on either platform.
Note that this variable was introduced in PHP 5.0.2 so to write portable code that also works in PHP versions before that, use the following code to make sure it exists:
if (!defined('PHP_EOL')) define ('PHP_EOL', strtoupper(substr(PHP_OS,0,3) == 'WIN') ? "\r\n" : "\n");


Searched for ages on the internet trying to find something that parses EML files and then sends them...for all of you who want to send an EML files you first have to upload it, read it, then delete it. Here's my's specialised for a single form where the user uploads the EML file.
// Reads in a file (eml) a user has inputted
function eml_read_in()
$file_ext = stristr($_FILES['upload']['name'], '.');

// If it is an eml file
if($file_ext == '.eml')

// Define vars
$dir = 'eml/';
$file = $dir.basename($_FILES['upload']['name']);
$carry = 'yes';

// Try and upload the file
if(move_uploaded_file($_FILES['upload']['tmp_name'], $file))

// Now attempt to read the file
if($eml_file = file($file))

// Create the array to store preliminary headers
$headers = array();
$body = '';
$ii = -1;

// For every line, carry out this loop
foreach($eml_file as $key => $value)

$pattern = '^<html>';

if(((eregi($pattern, $value)))||($carry == 'no'))

// Stop putting data into the $headers array
$carry = 'no';
$body .= $value;



// Separate each one with a colon
if(($eml_file_expl = explode(':', $value))&&($carry == 'yes'))

// The row has been split in half at least...

// Put it into the preliminary headers
$headers[$eml_file_expl[0]] = $eml_file_expl[1];

// There might be more semicolons in it...

// Add the other values to the header
$headers[$eml_file_expl[0]] .= ':'.$eml_file_expl[$i];






// Clear up the headers array
$eml_values = array();
$eml_values[to] = $headers[To];
$eml_values[from] = $headers[From];
$eml_values[subject] = $headers[Subject];
$eml_values['reply-to'] = $headers['Reply-To'];
$eml_values['content-type'] = $headers['Content-Type'];
$eml_values[body] = $body;


return $eml_values;




return '

File not uploaded - there was an error';



// Takes information automatically from the $_FILES array...
$eml_pattern = eml_read_in()
// Headers definable...through eml_read_in() again, but I'm guessing they'll be the same for each doc...
if(mail($eml_pattern[to], $eml_pattern[subject], $eml_pattern[content], $headers)) echo 'Mail Sent';

james butler

Re: "Second, the custom headers like From:, Cc:, Bcc: and Date: are not interpreted by the MTA in the first place, but are parsed by PHP.
As such, the to parameter should not be an address in the form of "Something <>". The mail command may not parse this properly while talking with the MTA."
PHP 5.0.4
Fedora Core 4
Apache 2.0
Sendmail 8.13.7
SMTP: localhost
Windows 98SE
Mozilla Firefox
Microsoft Internet Explorer 6.0.2800.1106
mail("User Name <>","Subject Here",$msg,"From:");
Using Firefox, no problems with the above command.
Using MSIE, won't send mail "to" address formatted as above.
mail("","Subject Here",$msg,"From:");
Works fine from both clients.
I mention this because it appears there is some interaction between the client and MTA that is unaccounted for in the above quote from this doc page.

Please note that using an address in this format "Zane, CEO -" <myaddrr@mydomain> (" are needed due to comma) works as expected under *nix, but WON'T WORK under Windows.
This is an example
mail("\"Zane, CEO -\" <myaddrr@mydomain>", "prova da test_zane", "dai funziona...");
It works under *unix, but it doensn't under Win: different error are reported:
Warning: mail() [function.mail]: SMTP server response: 553 5.0.0 <"Zane>... Unbalanced '"'
Warning: mail() [function.mail]: SMTP server response: 501 5.5.4 Invalid Address


One thing it can be difficult to control with this function is the envelope "from" address. The envelope "from" address is distinct from the address that appears in the "From:" header of the email. It is what sendmail uses in its "MAIL FROM/RCPT TO" exchange with the receiving mail server. It also typically shows up in the "Return-Path:" header, but this need not be the case. The whole reason it is called an "envelope" address is that appears _outside_ of the message header and body, in the raw SMTP exchange between mail servers.
The default envelope "from" address on unix depends on what sendmail implementation you are using. But typically it will be set to the username of the running process followed by "@" and the hostname of the machine. In a typical configuration this will look something like
If your emails are being rejected by receiving mail servers, or if you need to change what address bounce emails are sent to, you can change the envelope "from" address to solve your problems.
To change the envelope "from" address on unix, you specify an "-r" option to your sendmail binary. You can do this globally in php.ini by adding the "-r" option to the "sendmail_path" command line. You can also do it programmatically from within PHP by passing "-r" as the "additional_parameters" argument to the mail() function (the 5th argument). If you specify an address both places, the sendmail binary will be called with two "-r" options, which may have undefined behavior depending on your sendmail implementation. With the Postfix MTA, later "-r" options silently override earlier options, making it possible to set a global default and still get sensible behavior when you try to override it locally.
On Windows, the the situation is a lot simpler. The envelope "from" address there is just the value of "sendmail_from" in the php.ini file. You can override it locally with ini_set().


OK you gave good exemples but none look good with Lotus Notes 6.X. I found some exelent code compatible with Notes and others, the detailed solution is here :
I have cleaned Rowan's text, this is my working code :
$boundary = md5(uniqid(time()));
$headers  = 'From: ' . $from . "\n";
$headers .= 'To: ' . $to . "\n";
$headers .= 'Return-Path: ' . $from . "\n";
$headers .= 'MIME-Version: 1.0' ."\n";
$headers .= 'Content-Type: multipart/alternative; boundary="' . $boundary . '"' . "\n\n";
$headers .= $body_simple . "\n";
$headers .= '--' . $boundary . "\n";
$headers .= 'Content-Type: text/plain; charset=ISO-8859-1' ."\n";
$headers .= 'Content-Transfer-Encoding: 8bit'. "\n\n";
$headers .= $body_plain . "\n";
$headers .= '--' . $boundary . "\n";
$headers .= 'Content-Type: text/HTML; charset=ISO-8859-1' ."\n";
$headers .= 'Content-Transfer-Encoding: 8bit'. "\n\n";
$headers .= $body_html . "\n";
$headers .= '--' . $boundary . "--\n";
$mailOk=mail('', $subject,'', $headers);
(Tested from Linux PHP4 to STMP Lotus Notes and Notes Client 6.5.1 & 5.? , it works with hotmail too, I didn't test other client)
by DitLePorc


Note: on class "multipartmail".  Modify the function buildmessage with the following and it will work great.
function buildmessage(){
        $this->message = "This is a multipart message in mime format.\n";
        $cnt = count($this->parts);
        for($i=0; $i<$cnt; $i++){
          $this->message .= "--" . $this->boundary . "\n" .$this->parts[$i];
$this->message .= "--" . $this->boundary . "-- \n";
Thank for all the help.


My mime multipart/alternative messages were going ok, until I switched to qmail with php .. after years of painfull searching, I came across this on the Life With Qmail 'Gotchas' section:
G.11. Carriage Return/Linefeed (CRLF) line breaks don't work
qmail-inject and other local injection mechanisms like sendmail don't work right when messages are injected with DOS-style carriage return/linefeed (CRLF) line breaks. Unlike Sendmail, qmail requires locally-injected messages to use Unix newlines (LF only). This is a common problem with PHP scripts.
So now, I can go back to sending emails with text AND html components :)

sven riedel

mail() requires /bin/sh to exist in Unix environments, next to a mail delivery program. This is very relevant when setting up apache in a chroot environment. Unfortunately this isn't anywhere in the documentation and took me several months to figure out.


Just a comment on some of the examples, and as a note for those who may be unaware. The SMTP RFC 822 is VERY explicit in stating that \r\n is the ONLY acceptable line break format in the headers, though is a little vague about the message body. While many MTAs will deal with just \n, I've run accross plenty of them that will exhibit "interesting" behaviours when this happens. Those MTAs that are strict in compliance will definitely break when header lines are terminated with only \n. They will also most likely break if the body of the message contains more than 1000 consecutive characters without a \r\n.*
Note that RFC 821 is a little more clear in defining:
     A a sequence of ASCII characters ending with a <CRLF>."
RFC 821 makes no distinction between header lines and message body lines, since both are actually transmitted during the DATA phase.
Bottom line, best practice is to be sure to convert any bare \n characters in the message to \r\n.
* "The maximum total length of a text line including the <CRLF> is 1000 characters" (RFC 821)


In the posting "gregBOGUS at BOGUSlorriman dot com 6th april 2005" I claimed that redirecting an email, via the mail() function, to a different email address was as simple as copying over the unmodified headers of the originally recieved email (which would, of course, include the original "To:" field).
However it seems that this works for a Xampp install ( with Mercury as the mail agent, but doesn't work on my webhost without first removing the old "To:" field, and perhaps other header modifications. Therefore it looks like it would be safest to strip any header lines that shouldn't be there. <sigh>


In the code of gordon at kanazawa-gu dot ac dot jp, long subjects become corrupted when using utf-8 encoding because of the length parameter. The following version works even with utf-8:
// ...
// determine length of encoded text within chunks
// and ensure length is even
$length = 75 - strlen($start) - strlen($end);
$length = floor($length/4) * 4;
// ...


In addition to the $to parameter restrictions on Windows (ie. address can not be in "name <>" format), the same restrictions apply to the parsed Cc and Bcc headers of the $additional_headers parameter.
However, you can include a To header in $additional_parameters which lists the addresses in any RFC-2822 format.  (For display purposes only.  You still need to list the bare addresses in the $to parameter.)


If your server doesn't have mb_send_mail() enabled but you want to use non-ascii (multi-byte) chars in an email's subject or name headers, you can use something like the following:
$charset = "iso-2202-jp"; // japanese
$to = encode("japanese name 01", $charset) . " <>";
$from = encode("japanese name 02", $charset) . " <>";
$subject = encode("japanese text");
$message = "does not need to be encoded";
mail($to, $subject, $message, $from);
function encode($in_str, $charset) {
   $out_str = $in_str;
   if ($out_str && $charset) {
       // define start delimimter, end delimiter and spacer
       $end = "?=";
       $start = "=?" . $charset . "?B?";
       $spacer = $end . "\r\n " . $start;
       // determine length of encoded text within chunks
       // and ensure length is even
       $length = 75 - strlen($start) - strlen($end);
       $length = floor($length/2) * 2;
       // encode the string and split it into chunks
       // with spacers after each chunk
       $out_str = base64_encode($out_str);
       $out_str = chunk_split($out_str, $length, $spacer);
       // remove trailing spacer and
       // add start and end delimiters
       $spacer = preg_quote($spacer);
       $out_str = preg_replace("/" . $spacer . "$/", "", $out_str);
       $out_str = $start . $out_str . $end;
   return $out_str;
// for details on Message Header Extensions
// for Non-ASCII Text see ...


If you're using a linux server using Postfix, and your server hasn't the host name set to a valid name (because it's behind a firewall in an intranet), it's possible that when sending mails using the mail function, some mail servers reject them. This is because they can't check the return path header. If you want to change the Return-Path used by sendmail init the php.ini and edit the sendmail_path variable to this:
sendmail_path = "sendmail -t -i -F -f"


if you send mail to you don't use "\r\n" and you use only "\n" in headers


if you don't have access to the mail function or got a own smtp server you can use this class to send mails.


I'm copying Ben Cooke's note from the main mail page into here because I didn't find it initially. The issue described below caused me a lot of problems because of Postfix converting a single \r\n into double new lines, resulting in corrupted mail.
Note that there is a big difference between the behavior of this function on Windows systems vs. UNIX systems. On Windows it delivers directly to an SMTP server, while on a UNIX system it uses a local command to hand off to the system's own MTA.
The upshot of all this is that on a Windows system your  message and headers must use the standard line endings \r\n as prescribed by the email specs. On a UNIX system the MTA's "sendmail" interface assumes that recieved data will use UNIX line endings and will turn any \n to \r\n, so you must supply only \n to mail() on a UNIX system to avoid the MTA hypercorrecting to \r\r\n.
If you use plain old \n on a Windows system, some MTAs will get a little upset. qmail in particular will refuse outright to accept any message that has a lonely \n without an accompanying \r.


I use text/plain charaset=iso-8859-1 and get bad headers complain from amavis. This helped me:
$subject = mb_encode_mimeheader('ääööö test test öäöäöä','UTF-8');
php-version 5.2.2


I haven't seen in this page a reference about how to properly handle subject encoding when using non-ascii characters. I've found that info at, which I paste:
"According to RFC 2822, mail header fields, including the subject, MUST be composed of printable US-ASCII characters (i.e., characters that have values between 33 and 126, inclusive). So if you want a subject with accents, you must encode it from your original character set to a US-ASCII character set. There are 2 of ways to do this: quoted-printable or base64.
Now we have an encoded subject, but our mail reader won't know that. So we need to tell it by formatting our subject as follows: "=?" charset "?" encoding "?" encoded-text "?=" , where charset is the original character set and encoding is either "Q" for Quoted-Printable or "B" for Base64.
E.g The subject containing the Quoted-Printable ISO-8859-1 string "Voilà une message", is written as:
Subject: =?ISO-8859-1?Q?Voil=E0_une_message?=
The Base64 version of the ISO-8859-1 string is:
Subject: =?ISO-8859-1?B?Vm9pbOAgdW5lIG1lc3NhZ2U=?=
The Quoted-Printable version of the UTF-8 string is:
Subject: =?UTF-8?Q?Voil=C3=A0_une_message?=
The Base64 version of the UTF-8 string is:
Subject: =?UTF-8?B?Vm9pbMOgIHVuZSBtZXNzYWdl?=
"Raw" non-encoded subjects can work and modern mail clients handle it properly, but I found that at least using utf-8 as encoding, the spam analizers complain stating "BAD HEADER Non-encoded 8-bit data". To prevent this, and taking the info above, I decided to use base64, which at least seems to have specific functions (and because it works, of course). So, one could use the following code:
$subject='Subject with extra chars: áéíóú';
$body='This is the body';
$headers="From: ".$from."\n"
. "Content-Type: text/plain; charset=$charset; format=flowed\n"
. "MIME-Version: 1.0\n"
. "Content-Transfer-Encoding: 8bit\n"
. "X-Mailer: PHP\n";
mail($to,$encoded_subject, $body,$headers);
Of course, this can be "enhanced" by encoding only if there are non-ASCII characters, but I don't think I need it. Maybe the CPU work, used time and results don't deserve it.


I had trouble getting multiple emails sent for Outlook accounts (a single PHP page performed 2 mail() calls).
The PHP mail() function works correctly, but the same mails that were recieved on a private POP3 server were randomly missing by our intranet Outlook exchange server.
If you have the same problem, try to verify that the "Message-ID: " is unique at the $headers string. i.e.
$headers = [...] .
"Message-ID: <". time() .rand(1,1000). "@".$_SERVER['SERVER_NAME'].">". "\r\n" [...];
(rand() is used only for demonstration purposes. a better way is to use an index variable that increments (i++) after each mail)
I noticed that when multiple messeges were sent simultaneously, the message-id was the same (probably there was no miliseconds differential). My guess is that Outlook is collating messages with the same message-ID; a thing that causes only one email to pass to the Outlook inbox instead of a few.


I had a lot of trouble trying to send multipart messages to gmail accounts until I discovered gmail does not like carriage returns, even under unix I have to use only new lines (\n) and forget about the (\r) . Other email clients such as eudora, outlook, hotmail or yahoo seem not to have issues about the "missing" \r . Hope it helps.


I get a 550 error when using mail() with this To format:
User <>
When it's changed to just the bare email, it works fine. Just FYI that some mail servers may behave this way.


I found out that a ms server (ESMTP MAIL Service, Version: 5.0.2195.6713) also had the problem using CRLF in the headers:
If messages are not received, try using a LF (\n) only. Some poor quality Unix mail transfer agents replace LF by CRLF automatically (which leads to doubling CR if CRLF is used). This should be a last resort, as it does not comply with RFC 2822.
The suggested fix works.

linas.galvanauskas {eta} ntt . lt

I'm using phpmailer from
and I have no problems.
Good luck


Here's my way of detecting an attempt to hijack my mail form.
<?php #requires PHP 5 or greater
$request = array_map('trim',($_SERVER['REQUEST_METHOD'] == "POST") ? $_POST : $_GET) ;
//check for spam injection
$allfields = implode('',$request) ;
$nontext = $request ;
unset($nontext['message'] );
$nontextfields = implode ('',$nontext) ;
if ((strpos ($nontextfields,"\\r")!==false) ||
(strpos ($nontextfields,"\\n")!==false) ||
(stripos ($allfields,"Content-Transfer-Encoding")!==false) ||
(stripos ($allfields,"MIME-Version")!==false) ||
(stripos ($allfields,"Content-Type")!==false) ||
($request['checkfield']!=$check) ||
(empty($_SERVER['HTTP_USER_AGENT']))) die('Incorrect request') ; //stop spammers ?>
First, I put the data into an array $request, then set up two strings: $allfields, which is just all fields concatenated, then $nontext, which excludes those fields in which \r\n is allowed (e.g., the message body). Any form field in which \r\n is allowed should be unset in the $nontext array before the second implode function (my message field is called 'message', so I unset that). I also include a hidden field in the form with a preset value ('checkfield', $check), so I can see if something is trying to alter all fields.
This is a combination of a lot of things mentioned in the messages below...


hello ok i have this email form right and it is
if (isset($_REQUEST['email']))
//if "email" is filled out, send email
 //send email
 $email = $_REQUEST['email'] ;
 $subject = $_REQUEST['subject'] ;
 $message = $_REQUEST['message'] ;
 mail( "", "Subject: $subject",
 $message, "From: $email" );
 echo "Thank you for using our mail form";
//if "email" is not filled out, display the form
 echo "<form method='post' action='mailform.php'>
 Email: <input name='email' type='text' /><br />
 Subject: <input name='subject' type='text' /><br />
 Message:<br />
 <textarea name='message' rows='15' cols='40'>
 </textarea><br />
 <input type='submit' />
i like it but i want to change like but i want it to ask for sending it "TOO" and it automatically post the sender


Hello firends,
Good article about email:
With regards,Hossein

alan hogan +php

Header injection is a very real, common threat in which an attacker uses your mail form to send mail to whomever he chooses!  I've been hit, myself, and on a website with relatively little traffic!  Read more about it here:

a dot hari

Guido, the same you can do like this.
while ($emailadresses = mysql_fetch_array($query, MYSQL_ASSOC)) {
  foreach ($emailadresses as $oneMailadres) {
      $recepientsArr[] = "$oneMailadres"; //build up the recepients array
// this is the tricky part: mail() will not sent to all the emailadresses, if you let your string end with ', ', so I used substr() to remove the last two characters from the string (comma and space).
$recepients = substr($recepients, 0, -2);
// this.
$recepients = implode(",", $recepientsArr[]);
//actual sending
mail($recepients, $subject, $mailbody, "From: $senderAddress");

alex jaspersen

For qmail users, I have written a function that talks directly to qmail-queue, rather than going through the sendmail wrapper used by mail(). Thus it allows more direct control over the message (for example, you can adapt the function to display "undisclosed recipients" in to the To: header). It also performs careful validation of the e-mail addresses passed to it, making it more difficult for spammers to exploit your scripts.
Please note that this function differs from the mail() function in that the from address must be passed as a _separate_ argument. It is automatically put into the message headers and _does not_ need to be included in $additional_headers.
$to can either be an array or a single address contained in a string.
$message should not contain any carriage return characters - only linefeeds.
No validation is performed on $additional_headers. This is mostly unnecessary because qmail will ignore any additional To: headers injected by a malicious user. However if you have some strange mail setup it might be a problem.
The function returns false if the message fails validation or is rejected by qmail-queue, and returns true on success.
function qmail_queue($to, $from, $subject, $message, $additional_headers = "")
// qmail-queue location and hostname used for Message-Id
$cmd = "/var/qmail/bin/qmail-queue";
$hostname = trim(file_get_contents("/var/qmail/control/me"));

// convert $to into an array
$to = array($to);

// e-mail address validation
$e = "/^[-+\\.0-9=a-z_]+@([-0-9a-z]+\\.)+([0-9a-z]){2,4}$/i";
// from address
if(!preg_match($e, $from)) return false;
// to address(es)
foreach($to as $rcpt)
if(!preg_match($e, $rcpt)) return false;

// subject validation (only printable 7-bit ascii characters allowed)
// needs to be adapted to allow for foreign languages with 8-bit characters
if(!preg_match("/^[\\040-\\176]+$/", $subject)) return false;


// open qmail-queue process
$dspec = array
array("pipe", "r"), // message descriptor
array("pipe", "r") // envelope descriptor
$pipes = array();
$proc = proc_open($cmd, $dspec, $pipes);
if(!is_resource($proc)) return false;

// write additional headers
fwrite($pipes[0], $additional_headers . "\n");

// write to/from/subject/date/message-ID headers
fwrite($pipes[0], "To: " . $to[0]); // first recipient
for($i = 1; $i < sizeof($to); $i++) // additional recipients
fwrite($pipes[0], ", " . $to[$i]);
fwrite($pipes[0], "\nSubject: " . $subject . "\n");
fwrite($pipes[0], "From: " . $from . "\n");
fwrite($pipes[0], "Message-Id: <" . md5(uniqid(microtime())) . "@" . $hostname . ">\n");
fwrite($pipes[0], "Date: " . date("r") . "\n\n");
fwrite($pipes[0], $message);
fwrite($pipes[0], "\n");

// write from address and recipients
fwrite($pipes[1], "F" . $from . "\0");
foreach($to as $rcpt)
fwrite($pipes[1], "T" . $rcpt . "\0");
fwrite($pipes[1], "\0");

// return true on success.
return proc_close($proc) == 0;


For me, WinXP, EasyPHP, sending a mail with the headers lines separated by : \r\n
$headers  = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
When I put the script online, and call it in order to send mail,
the html is displayed in the mail client (tested Outlook Express and Thunderbird) when you want to read the message sent by php. Some of the headers are considered like text (but it works when sent from local).
Solution : not use \r\n but only \n.


First excuse me for bad english. I'm working on a function that send html or text or both, e-mail message. I try all the example but no one working on my system (windows XP with PostCast SMTP server). Finally i try this and work. I hope your find useful:
function mailTo ($from, $to, $oggetto, $contenuto, $type = "both", $reply = true) {
// If $contenuto == file reading
$messaggio = @file_get_contents( $content, 1);
if ($messaggio) { $contenuto = $messaggio; }
$messaggio = '';
// Standar Header
$crlf = chr(10) . chr(13);
$intestazione  = "To: {$to}" . $crlf;
$intestazione .= "From: {$from}" . $crlf;
$intestazione .= "Return-Path: " . (($reply)? $from : substr_replace($from, "noreply", 0, strpos($from, '@'))) . $crlf;
$intestazione .= 'Reply-To: ' .(($reply)? $from : substr_replace($from, "noreply", 0, strpos($from, '@'))) . $crlf;
  $intestazione .= 'X-Mailer: PHP/' . phpversion() . $crlf;
// MIME boundary
$separatore = 'PHP' . md5(uniqid(time()));
// MIME Header
$intestazione .= 'MIME-Version: 1.0' . $crlf;
switch ($type){
case 'html' :
                       // Header for client non MIME compatible
$intestazione .= 'Content-Type: text/html; charset=ISO-8859-15' . $crlf;
$intestazione .= 'Content-Transfer-Encoding: 7bit' . $crlf;
$messaggio .= "\n{$contenuto}\n";
case 'both' :
$intestazione .= "Content-Type: multipart/alternative;\n\tboundary=\"" . $separatore . '"' . $crlf;
// Create message for no mime client
$messaggio .= "For English People: This is a multi-part message in MIME format.\nIf you are reading this, consider upgrading your e-mail client to a MIME-compatible client.\n";
$messaggio .= "For Italian People: Questo è un messaggio MIME.\nSe si stà leggendo questa nota, consigliamo l\'aggiornamento del programma di posta elettronica con uno compatibile MIME";
$messaggio .= "\n--{$separatore}\n";
$messaggio .= "Content-Type: text/plain; charset=ISO-8859-15\n";
$messaggio .= "Content-Transfer-Encoding: 7bit\n\n";
case 'text' :
$messaggio .= strip_tags($contenuto);
if ($type == 'both') {
$messaggio .= "\n--{$separatore}\n";;
$messaggio .= "Content-Type: text/html; charset=ISO-8859-15\n";
$messaggio .= "Content-Transfer-Encoding: 7bit\n";
$messaggio .= "\n{$contenuto}";
$messaggio .= "\n--{$separatore}\n";
// Send MAIL
return  mail($to, $oggetto, $messaggio, $intestazione);

24-jul-2006 04:55

correction for class multipartmail
function addmessage($msg = "", $ctype = "text/plain"){
        $this->parts[0] ....
if you are adding attachment first and then addmessage you can easy overwrite added attachment - better use
function addmessage($msg = "", $ctype = "text/plain"){
        $this->parts[count($this->parts)] ....


Change the function addattachment for multipartmail to auto detect the mime_content_type ...
    function addattachment($file){
        $fname = substr(strrchr($file, "/"), 1);
        $data = file_get_contents($file);
        $i = count($this->parts);
        $content_id = "part$i." . sprintf("%09d", crc32($fname)) . strrchr($this->to_address, "@");
        $this->parts[$i] = "Content-Type: ".mime_content_type($file)."; name=\"$fname\"\r\n" .
                          "Content-Transfer-Encoding: base64\r\n" .
                          "Content-ID: <$content_id>\r\n" .
                          "Content-Disposition: inline;\n" .
                          " filename=\"$fname\"\r\n" .
                          "\n" .
                          chunk_split( base64_encode($data), 68, "\n");
        return $content_id;


As noted in other, well, notes; the "additional headers" parameter can be easily exploited, when doing things like:
 mail( $_POST['to'], $_POST['subject'], $_POST['message'], 'Reply-to: '.$_POST['from']."\r\n" );
An easy way of fixing this, is removing CRLFs from the header-strings, like so:
 $_POST['from'] = str_replace( "\r\n", '', $_POST['from'] );
This way, the extra data will be part of the previous header.


An important rule of thumb, because it seems few really follow it and it can alleviate so many headaches: When filtering your email headers for injection characters use a regular expression to judge whether the user's input is valid.  For example to see if the user entered a valid e-mail address use something like  [a-zA-Z0-9._%-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}.  Dont try to filter out bad characters (like searching for LF or CR), because you will ALWAYS miss something.  You can be sure your application is more secure going this route....provided the regular expression is valid!  This same point goes for any sort of form input not just for sending out emails.


An addition to the comment by gordon at kanazawa-gu dot ac dot jp:
In his function encode() he has the following line:
$length = floor($length/2) * 2;
which should actually be
$length = $length - ($length % 4);
This means: $length should not be even, but divisible by 4. The reason is that in base64-encoding 3 8-bit-chars are represented by 4 6-bit-chars. These 4 chars must not be split between two encoded words, according to RFC-2047.


A comfortable way to redirect an email :
(Obviously there are other ways to redirect, but this could save someone a lot of hassle. )
If all you want to do is redirect an email and you want to do it from the comfort of the mail() and imap_X() functions then surprisingly mail() will successfully send an email to your chosen destination with the contents intact (text/mime/multipart whatever) by just dumping the result of imap_fetchheader into the header parameter and dumping imap_body into the body parameter. For example :
mail('',$header->Subject,imap_body($mbox,1), imap_fetchheader($mbox,1));
Notice that you still have to transfer the subject line manually using imap_header.
One note, however, is that it may be possible on particular platforms that the header info might have had its CRLFs mangled and so this technique might need adjustment if you are unlucky.
Also note that this is a somewhat surprising method, and one might be (wisely) circumspect about using a technique that could be broken by an unfortunate updating of mail(). However I don't believe this is a significant concern as the mail() function is very simple in what it offers, such that the likelyhood of broken code is about as minimal as can be expected. However apps that need to be industrially strong should probably not use this technique.

18-apr-2005 08:20

A co-worker of mine had a problem where she needed to have a backslash in the header. Basically, the name of the company has a couple of backslashes in it. However, when the recipient was receiving the email, the "From:" part had the backslashes removed. We got it to work but placing three backslashes whenever we wanted one to show up. I'd assume that the mail server was modifying the headers and this is not really an issue with php. Anyway, thought this might help someone.

Change Language

Follow Navioo On Twitter
eXTReMe Tracker