most likely you are using different triggers int he Behaviors for sending the email, and Validating / inserting to the database.
Make sure that all the behaviors use the same trigger.
if it is set up where validation uses a trigger Button Submit pressed, and the email behavior is set to any form post, it can pretty easy to get around the validation, an attacker would save the source of your page to a local copy, then edit the name of the submit button and change the form action to post to the page on your site.
By changing the submit button name, they by pass the validation, but still trigger sending the email.