diff --git a/CHANGES b/CHANGES
index 422bda368..ffe65dc91 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2494,4 +2494,5 @@
 * transfer ownership route is not used anymore
 * graphite: fix issue where disk names with '.' do not render
 * dark mode fixes
+* sendmail: mail from display name
 
diff --git a/src/mail.js b/src/mail.js
index d3f9ac567..fa7fe6f23 100644
--- a/src/mail.js
+++ b/src/mail.js
@@ -173,7 +173,8 @@ function validateDisplayName(name) {
     assert.strictEqual(typeof name, 'string');
 
     if (name.length < 1) return new BoxError(BoxError.BAD_FIELD, 'mailbox display name must be atleast 1 char');
-    if (name.length >= 100) return new BoxError(BoxError.BAD_FIELD, 'mailbox name too long');
+    if (name.length >= 100) return new BoxError(BoxError.BAD_FIELD, 'mailbox display name too long');
+    if (/["<>@]/.test(name)) return new BoxError(BoxError.BAD_FIELD, 'mailbox display name is not valid');
 
     return null;
 }