I do fill in from and subject from what's entered in the form, but also pass through some validation.

I've done some reading and testing. The From field is secure because of email validation I employ. Subject is secure because it's stripped of new lines by the mail function in PHP.

The problem field turns out to be a Name field that I use for a person's plaintext name along with their address. I have to check what types of filters I put it through and adjust accordingly.

This is what I've been reading for reference:

http://www.securephpwiki.com/index.php/Email_Injection