That said, here are the answers to your questions:
2.) It's not true. If a form submission results in an email being sent, this is done by the server. The client doesn't know anything about what happens on the server after the form has been submitted.
3.) There is no such thing as form submission "only with HTML and CSS". For the submission to actually have any effect, there has to be server side code in place to handle the submission, and that's exactly the place where you have to deal with security considerations.
.Latest article: Calculators — Tiny jQuery calculator, Full-fledged OOP calculator, Big number calculator
.Latest quick-bit: Including jQuery — Environment-aware minification and CDNs with local fallback