Fix “From”, “Name”, and “Return-Path” headers for all WP notification emails since this is a long-standing WP security vulnerability.
Agree, this functionality should be in core: https://wordpress.org/plugins/host-header-injection-fix/
(not my plugin/no affiliation; noted for reference)
A quick read suggests that the root problem is that the web server doesn't handle $_SERVER['SERVER_NAME'] correctly.
Is there more to it than that?
If not, I'd suggest a better solution is to flag this during install/upgrade so that the actual problem can be fixed, and point people towards a suitable plugin if they can't/won't fix the real problem.