We currently use PHPMailer (and PHPMailerLite, which is basically the same thing but without SMTP wire code) to build SMTP message bodies for mail.
Over time we've made changes to these classes to defuse security issues, work around bugs, or add capabilities, and it feels like we've reached a position where the cost of these externals (which are not very large, but have proven rich with issues) outweighs the benefit. Notable issues:
- T12046, which is fairly egregious.
- T12372, which uncovered some pretty questionable behavior in basic message construction in a realistic environment.
- T5969 isn't exactly related but would fall in line here.
- General issues with /e on regexps, switching to ExecFuture, etc.
- The SES vs PHPMailer vs PHPMailerLite thing is a mess.