This section is going to be based on how to abuse this parameter supposing that an attacker controls it.
This parameter is going to be added to the command line PHP will be using to invoke the binary sendmail. However, it will be sanitised with the function escapeshellcmd($additional_parameters).
An attacker can inject extract parameters for sendmail in this case.
Differences in the implementation of /usr/sbin/sendmail
sendmail interface is provided by the MTA email software (Sendmail, Postfix, Exim etc.) installed on the system. Although the basic functionality (such as -t -i -f parameters) remains the same for compatibility reasons, other functions and parameters vary greatly depending on the MTA installed.
Here are a few examples of different man pages of sendmail command/interface: