How to disable the php mail() function

How to disable the php mail() function

cartoon wrestler at computer

Are you frustrated with random PHP scripts being able to send spam from your server? If so you’re not alone. Many website administrators have this problem with PHP scripts on their server, and it can be a time consuming game of whack a mole to deal with it.

There are many reasons you’d want to prevent untrusted PHP scripts from sending spam from your server. Firstly, your IP reputation depends upon it — once your server is known as a source of spam, legitimate emails your server sends out will also get rejected from many mail servers. As well, these kinds of malicious scripts can use an unreasonable amount of resources. Finally, hosting providers and ISPs don’t want their IP addresses blacklisted either, so being a source of spam can cause these vendors to take punitive action against you. Clearly, avoiding this as much as possible is very desirable.

Today, we’ll show you one way to reduce the chances of untrusted PHP scripts from sending spam mail on your server. For this, we’ll show you how to disable the mail() function in PHP. Although this does not 100% prevent the problem, it is a good first step in the fight against spam.

How to do it?

  • First, you’ll want to locate your servers copy of “php.ini” and open it in a text editor.
  • From there, find the “sendmail_path” setting located in the file. This is usually set to run a program such as sendmail, which is a system program that can send emails.
  • To disable the mail() function, simply comment out or delete this setting from php.ini.

Here is an example of a configuration line in php.ini, where we’ve added a ; to the start of the line to comment it out:

;sendmail_path = /usr/sbin/sendmail -t

This change might not take effect until you restart your webserver software such as apache or nginx. The process for this depends upon your OS and webserver. If you can’t figure it out, you can always reboot the whole server, but this is not necessary if you can instead just restart your webserver software.

That’s it!

To remove this change and enable the mail() function again, just edit the file again and remove the semicolon at the beginning of the line — this will uncomment out the line and make it active again.

It is worth noting that disabling the mail() function in PHP will not necessarily prevent emails from being sent from your server. Other programs and services, such as Postfix or Exim, may still be able to send emails even if the mail() function is disabled. If you continue to have problems with untrusted users or scripts sending mail, further restrictions may be necessary, but this is a good start.

In conclusion, disabling the mail() function in PHP is a simple way to prevent untrusted PHP scripts from sending spam from your server. By following these instructions, you can protect your IP address’s email reputation by reducing the risk of blacklisting, which will definitely keep your hosting provider or ISP happy.

Do You Love Servers?

We do! If you’re concerned about server security, IOFLOOD can help. Our dedicated servers provide a secure and reliable environment for your applications, and our team is always available to help you optimize your server’s configuration.

To learn more about our dedicated servers and how we can help you with your specific needs, contact us at sales[at] or visit our website at Our team is ready to answer your questions and help you find the best server for your needs.