You have a delimiter there: newlines. Assuming they don't get passed through a layer that mangles white space at any point, it should work. Make sure to get your input box wide enough that you don't get bit by wrapping on

John Smith (john.smith@earthlink.net)
Bill Jones (bill_jones@hiscompany.com)     Bill Jones (bill_jones@hisc
+ompany.com)
etc
etc
[download]

Note that the security problem is not with the machine that views the form, but with the remote server. Anyone on the Internet could craft an HTTP request to fool your remote server into sending messages unless you, say, configure Apache to whitelist only service requests from your machine. Right now you can operate because no one has found your service, but security-through-obscurity is not a good model. Other than helping a spammer, the other major risk is that a spammer gets your server blacklisted. And that's presuming they don't take advantage of some obscure sendmail bug to own your remote server.