You don't even have to be running a webmail service, the instant you use any service to send an email with even one user-controlled field (even something as innocuous as their name) you already have a problem.
Yeah, I meant "webmail" in the broadest possible sense. And it's even broader than that: anything that allows making anything public really: from forum comments to Instagram to WordPress sites to Wikipedia.
Remember that for about ten years there was a person who consistently and frequently inserting images of ceiling fans in random articles.
