How Can You Tell Who Is Using the Forwarding Email Services on your Domain?

We are using the free Valimail Report Analyzer to receive and compile our DMARC XML reports. I see some emails originating from forwarding email services (G Suite, Autotask, Rackspace Hosted Exchange, Office 365). Two of them passed (G Suite, Office 365) and three of them failed (Autotask, Rackspace Hosted Exchange, and Office 365). How can I tell who of our internal users may be using these services? I don’t care to know where the spoofing emails are coming from, since those should be blocked when I change my DMARC policy. I don’t want to block mailing services if they are legitimately being used by internal users (like HR or Finance). Thanks for your input!