Can you define "complain"? SRS encoding, which SM can implement, is the usual technique to prevent SPF FAIL when a message is forwarded.
Rewriting of the message's From should not be necessary if you are forwarding the message without modification. Adding text to the message will break the originator's DKIM signature, which can be a problem if the sender requests DMARC enforcement and the evaluator applies DMARC enforcement. Most users do not want From to be rewritten, since "From" should represent the author and the usual reply-to address. So the best strategy is to not apply tagging if a message might be forwarded.
Forwarding is a lose-lose proposition for you. If you let any spam through, as determined by the recipient, the recipient's mail system will blame you, not the originator. If that means you get blacklisted, that's a problem. If you lock down your system so that no spam gets through, you will probably have false positives (as judged by the account owner), and the account owner will blame you for blocking email that he wants. Since everyone has a different and imperfect approach to email filtering, your chance of getting the right balance is somewhere between zero and zero.
Allowing employees to forward mail to their personal account creates just as many risks to the business: corporate data becomes personal data, replies become personal correspondence rather than corporate correspondence, and regulated data may be handled in ways that violate regulations. Employee accounts can be disabled or managed by a replacement employee. Off-network communication can never be disabled.
The bare minimum for safe forwarding is that the system owner (you) MUST know that the targeted account actually wants the forwarding to happen, as evidenced by an email from that account to you. Otherwise, you might be part a participant in a accidental or intentional assault on that mailbox. Not that any known mail system will give you that power.
An even better requirement is to also require an email from the recipient's mail system administrator indicating that they are willing to accept your forwarding stream. With this knowledge, hopefully they will use that knowledge to judge the true source of unwanted messages (not you), although this is also wishful thinking.
PostFix is highly configurable. If you use it as an outgoing gateway and filter, you could probably build something like waht you want or something like I propose. But it runs on Linux, so one will need to know or learn Linux while learning a very complex mail product.