What is header injection?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Header injection is when someone tricks your mail server into adding extra headers that weren't supposed to be there. Think of it as sneaking instructions into a package right before it ships.

The attack works through contact forms or any place where user input gets turned into email headers. An attacker types something like this into a Subject field: Help\r\nBCC: 1000-spam-victims@example.com. That \r\n sequence is a carriage return and line feed. It tells the mail server "new line, new header". If your code doesn't clean that input, the server will read it as two separate headers: one Subject line ("Help") and one BCC line with 1,000 unwanted recipients.

What happens next is the bad part. The server sends your email to all those injected addresses using your domain's reputation. Your IP gets used to spam strangers. Your domain gets blocklisted. You get blamed for mail you never intended to send.

This is why every field that touches email headers (Subject, To, From, Reply-To, anything) needs to be sanitized before it reaches the mail library. That means stripping out \r and \n characters, or encoding them so they can't be interpreted as header delimiters. Most modern email libraries handle this automatically if you use them correctly. The mistake happens when developers concatenate strings by hand instead of using the library's safe methods.

And if you're building anything with a contact form, check how your code generates outgoing email. Does it use a library like Nodemailer, PHPMailer, or your ESP's official SDK? Good. Does it build headers by gluing strings together with + or template literals? That's the danger zone.

Worth testing your forms with inputs that contain \r\n sequences to see if they get through. If they do, fix it before someone else finds it. If you're stuck, our SOS hotline can walk you through what safe header handling looks like for your stack.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get personalized code review help

I read this on the Email Almanac about header injection attacks: "Header injection is when someone tricks your mail server into adding extra headers through contact forms or user input. An attacker types something like Help\r\nBCC: 1000-spam-victims@example.com into a Subject field. If your code doesn't sanitize that input, the server reads it as two headers and sends your email to all those injected addresses using your domain's reputation." Help me understand how this applies to MY specific situation. I need: 1. Code review guidance: What should I look for in my current email-sending code? Which patterns are safe vs. dangerous? 2. Library recommendations: Which email libraries handle header sanitization automatically for my stack? 3. Testing approach: How do I test my forms for this vulnerability without actually sending spam? 4. Remediation steps: If I find the vulnerability, what's the fix? --- My details (the more you share, the better the advice): - Development stack: e.g. Node.js, PHP, Python, Ruby, .NET - Email library/method: [e.g. Nodemailer, PHPMailer, native mail(), ESP SDK, custom SMTP] - Where user input touches email: contact forms, support tickets, referral invites, etc. - Current sanitization approach: describe if any, or say "none that I know of" - Hosting environment: shared hosting, VPS, cloud platform - Experience level: beginner / intermediate / advanced developer

Edit the yellow boxes, then send to the AI of your choice.