Can I safely send a Certificate Request (CSR) by Email?

Yes. The CSR is your public key, which will be verified and signed by the certificate authority (CA) and returned to you afterward. It is this signed version you will then use in your application. It is useless without the private key, so even if someone makes a copy of it, they won’t be able to attack you.

However, this does mean that you must not send your private key out! If your private key gets stolen, the SSL certificate is compromised and must be revoked.