Okay, so I have a simple contact form where a user is asked to input his name(required), email(required, checked to see if it is a real email address), telephone number(optional), and a brief message(required, minimum 20 characters). This is then submitted to an email address.

Although nothing the user inputs is posted back by the browser, it does get sent to an email address. From what I have read and come to understand Output escaping by way of the htmlspecialchars function wouldn't be required in my situation since none of the user input is displayed back by the browser. Am I correct? Basically, should I do any kind of data sanitation in my situation? like striping unnecessary characters from anything the user decides to input? What else can I do to provide some extra security? I see a lot of sites don't bother using captchas, this is mostly to prevent bots from spamming emails right?

This form is submitted in ajax, with a PHP fallback in case js is disabled in the users browser.