How to make a secure PHP mail send for HTML forms?

Hello. I'm hosting a sucky mail sending script from a friend's website and I want to replace it for a secure version of it. I've looked at Google but due to so much misinformation I'm not sure on how to proceed.

Actual code is:

$first_name = $_POST['nombre'];
$email_from = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
$telephone = $_POST['telefono'];
$comments = $_POST['mensaje'];

$email_message = "Nombre: ". $first_name ."\n";
$email_message .= "Email: ". $email_from ."\n";
$email_message .= "Telephone: ". $telephone ."\n";
$email_message .= "Comments: ". $comments ."\n";

// create email headers
$headers = 'From: '.$email_from."\r\n".
'Reply-To: '.$email_from."\r\n" .
'X-Mailer: PHP/' . phpversion();
@mail($email_to, $email_subject, $email_message, $headers); 

Code (markup):

I have added that part of filter_var at $email_from but I want to know how to do this program correctly. Please, could you point me to some good code for doing this? I don't want my server turn into a spam sending machine.

 

As long as you allow users to send to any email it could be used for sending spam, there is no easy way around that.

reCaptcha is probably the best spam prevention tool but it can be bypassed https://www.google.com/recaptcha/intro/index.html

But don't let random people decide where to send the email, especially if they can enter a message as well. This will only lead to abuse and spam from your server.

 

The email is (supposedly) only sent to the site owner's email.

I want to know the most correct way to handle a HTML form with PHP.

 

Post your form code and the entire php code so we can better help you

 

The HTML form - and the full site - is an innacesible disaster and the site must be nuked. I'm going to follow http://cutcodedown.com/tutorial/forms_part1 to make a form from stratch, but I need to know how to make the PHP script properly.

The actual code from my friend's site is this (not done by me):

<?php
if(isset($_POST['email'])) {
  $email_to = "xxxxxxxxxxxxxxxx";

  if( !isset($_POST['asunto']) )
  $email_subject = "Mail desde xxxxxxxxx";
  else
  $email_subject = $_POST['asunto'];
  
  function died($error) {
  // your error code can go here
  echo "We are very sorry, but there were error(s) found with the form you submitted. ";
  echo "These errors appear below.<br /><br />";
  echo $error."<br /><br />";
  echo "Please go back and fix these errors.<br /><br />";
  die();
  }
  
  
  $first_name = $_POST['nombre']; // required
  $email_from = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL); // required
  $telephone = $_POST['telefono']; // not required
  $comments = $_POST['mensaje']; // required

  $email_message = "Nombre: ". $first_name ."\n";
  $email_message .= "Email: ". $email_from ."\n";
  $email_message .= "Telephone: ". $telephone ."\n";
  $email_message .= "Comments: ". $comments ."\n";
  
  
// create email headers
$headers = 'From: '.$email_from."\r\n".
'Reply-To: '.$email_from."\r\n" .
'X-Mailer: PHP/' . phpversion();
@mail($email_to, $email_subject, $email_message, $headers); 
?>
<!-- include your own success html here -->
Gracias por contactar con nosotros. Te responderemos lo antes posible. Hasta pronto!!

<script language="javascript">
setTimeout("top.location.href = 'index.php'",5000);
</script>

<?php
}
?>

Code (markup):

Security-wise, is it better to use a perl script instead of PHP? I'm considering that since it would facilitate system administration.