OfficeOfTheLaw is exactly right: form mail spam is a big risk.
The way I solve this problem with my own sites is to generate the 'to' field completely server side. I see no reason why the 'to' field ever needs to include user input. Instead of having something like
the recipient of the mail is configured locally, for instance,
<input type="hidden" name="recipient" value="email@example.com"/>
Any comments, good OR bad? I just can't think of too many situations where I would need to allow a user to send an email to an arbitrary address, unless of course I'm writing a webmail app.
$args = parse_ini_file('config/mail.ini');
mail($args['to'], $_REQUEST['subject'], $_REQUEST['message'], $_REQUEST['from']);