diff --git a/htmlmail.mail.inc b/htmlmail.mail.inc
index e1126de..d6043e2 100644
--- a/htmlmail.mail.inc
+++ b/htmlmail.mail.inc
@@ -262,7 +262,7 @@ class HTMLMailSystem implements MailSystemInterface {
         // if the parameter is NULL.
         $result = @mail($to, $subject, $body, $txt_headers);
       }
-      else {
+      elseif ((variable_get('site_mail', ini_get('sendmail_from')) == $message['headers']['Return-Path'] || self::_isShellSafe($message['headers']['Return-Path']))) {
         // On most non-Windows systems, the "-f" option to the sendmail command
         // is used to set the Return-Path.
         $extra = '-f' . $message['headers']['Return-Path'];
@@ -319,4 +319,26 @@ class HTMLMailSystem implements MailSystemInterface {
     }
     return implode("\n", $output);
   }
+
+  /**
+   * Disallows potentially unsafe shell characters.
+   *
+   * @param string $string
+   *   The string to be validated.
+   *
+   * @return bool
+   *   True if the string is shell-safe.
+   *
+   * @see https://api.drupal.org/api/drupal/modules%21system%21system.mail.inc/7.x
+   */
+  protected static function _isShellSafe($string) {
+    if (escapeshellcmd($string) !== $string || !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))) {
+      return FALSE;
+    }
+    if (preg_match('/[^a-zA-Z0-9@_\-.]/', $string) !== 0) {
+      return FALSE;
+    }
+    return TRUE;
+  }
+
 }