It really depends more on what the receivers of the email are doing with it. Not encoding with anything would be plenty safe for most mail clients that don't render HTML, running it through encode_entities would probably protect most of those that do render HTML, and even running it through s/\W// may not make it safe enough for Outlook...