This is the basic advice that you should never trust input read from a file or read from the internet or any other input to your script. In this specific case, you should always make sure that you accept nothing that looks like a newline and pass it on to the Mail::send_headers method. You should run your script with taint mode switched on, in any case.

An easy/simple way to validate your data so that it doesn't contain embedded newlines is the following:

my $subject = $query->param('subject');
$subject = '(Disallowed char in subject)'
  if $subject =~ m!\n!sm;
[download]

You should never read the recipient of a mail from a HTML form!