There is no guide or written piece that I would be comfortable in sharing that would likely convey what I would want. However this is a good case for us here at dmarcian to begin work on a piece that will hopefully help.
As far as identifying specific emails, DMARC feedback reports and Failure reports can help. Failure reports (also known as forensic reports) are rarely sent by reporters, so you cannot rely on those to always provide an answer. In the case of feedback reports, this is where DKIM shines. The typical case of automated forwarding will keep all original headers of the mail sent, and since DKIM is a header, it will in most cases remain.
A receiver will validate in most case all signature which exist on an email. A DMARC feedback report will often contain which selector the receiver saw as part of the signature it verified. A DKIM selector can provide a lot of insight as to where the email comes from. For example, let’s assume an email is sent from Microsoft Office 365. The selector used by MS is selector1 and selector2. Now let’s assume the forwarder is Google. What you will see in the DMARC feedback report is Google as the sending network, but a DKIM signature (passing or failing) using a signature of selector1 or selector2, along with the signing domain. Knowing you use O365 in this example to send mail, then you know the original source of emails were from Office 365 sent to a Google environment.
Now, this won’t tell you which “specific” emails from O365 were sent, but it’s a start. Additional data points to look at is the return-path. If the return-path is different than your domain, and since you identified the source is your O365 tenant, than this means some kind of address rewriting took place. The typical behaviour is for the return-path to be changed to the domain owned by the forwarder, so that bounce backs will be sent to the forwarder in case of issues. This can be a bread crumb trail to knowing which domains your O365 emails were sent to that were forwarded.
Ultimately tho, Forwarding happens a LOT, and it is simply not realistic to identifying each individual forwarders unless your recipient audience is very thin.
I hope this helps.