I've just spent a couple of months slapping my head of the desk on this question (being largely self-taught it is my best recourse). Lessons I have learned so far:
I run server-side validation on all input using htmlspecialchars(), strip_tags() and stripslashes() - nested in that order like so:
$name = htmlspecialchars(strip_tags(stripslashes($message['First'])), ENT_COMPAT, 'UTF-8');
For emails, I use something like:
$sanitised = filter_var($email, FILTER_SANITIZE_EMAIL);
$clean = filter_var($sanitised, FILTER_VALIDATE_EMAIL);
For good measure I also use checkdnsrr() on the filtered email address ($clean). Opinion is divided on that last function since it relies on a registry of valid domain names so it is liable to miss out some obscure but nonetheless valid addresses. Then again, email validation is a very hairy area with no absolute solution so opinion tends to be divided on any approach you might consider.
My thoughts are that it's best left to the brains behind PHP and HTML5 who, I trust, have given the matter all due consideration.