If your senders (on premises systems and trusted third parties) have established IP ranges then you can have a mail flow rule:
if message is inbound
and sender domain is {yours, or any others you can protect using this method}
take action
except if sender IP is {your egress, your trusted third parties, etc}
Now the action can be to stamp the subject line, add a disclaimer header, divert the message to the hosted quarantine or a secops mailbox or just drop the message. It depends on how confident you are about those exception ranges and of course you should start with a non-intrusive action such as adding a header when you are first testing.
If comprehensively implementing DKIM is going to be a protracted struggle then this may give you a quicker solution.
Needless to say, ideally those IP ranges should already be in your domain SPF record with a good strong -all HARDFAIL at the end, but you may not be confident enough to make that statement. If the IP ranges are wobbly or dangerously inclusive then that is going to be a problem anyway.
