Given a contact form that accepts custom user input (e.g. address, subject line, message), what are some security implications and "gotchas" to be careful of?

At a minimum, the user's email address will have to be validated (likely using filter_var() or equivalent). From what I've read, this should also prevent additional headers from being injected into the script.

What about the subject line and message content though? Is any sanitation required for those fields? I figure an email client would prevent things like scripts from running automatically, and I'm not particularly worried about things like HTML tags (if someone wants to spend the time to style an email by hand, that's their prerogative - I just won't be seeing it :P). If sanitation is required, what's the best way of doing it without being too intrusive (i.e. keeping the nature of the email the same)?

If you are using the fourth argument, the optional headers, watch for inserting of extra headers, if you are doing something like this...

mail($to, $subject, $message, 'From: $email');

If $email comes from user input and is not sanitized, a user could enter something like...

\n\rCC:spammer@spamzilla.com

You can avoid this by filtering out \n and \r, or validating $email using the filter_var($email, FILTER_VALIDATE_EMAIL) function.

Ensure that people cannot inject linebreaks in anything but the body. Additionally make the recipient static and never pass it e.g. through a hidden form field. However, adding such a field is not a bad idea; but block the IP if it's not set to the expected value - then your client is probably a spam bot.