The first step would be to not have this script accessible as a CGI script at all. It should never be below /cgi-bin or wherever all PHP files of your site live.

NEVER accept untrusted user data in the headers of an email. The email parameter may well contain newlines which will turn your script into a spam cannon. Only ever include the user data in the mail body (if at all). If you feel that it is important to have the form submission appear as a mail from somebody, at least remove all whitespace from it.

As your mail script outputs some HTML, it seems that your intention still is that a browser accesses the script. Then you should rethink your knowledge about HTML and HTTP and how they interact.

The second step would be to replace all usage of sendmail with MIME::Lite to send the mail.

A potentially useful script is the FormMail script from nms-cgi. That one does not do the encryption of in-flight data, so you will have to add that yourself.