diff --git a/src/src/expand.c b/src/src/expand.c
index dba047b..206a869 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -410,6 +410,7 @@ static var_entry var_table[] = {
   { "address_data",        vtype_stringptr,   &deliver_address_data },
   { "address_file",        vtype_stringptr,   &address_file },
   { "address_pipe",        vtype_stringptr,   &address_pipe },
+  { "authenticated_fail_id",vtype_stringptr,  &authenticated_fail_id },
   { "authenticated_id",    vtype_stringptr,   &authenticated_id },
   { "authenticated_sender",vtype_stringptr,   &authenticated_sender },
   { "authentication_failed",vtype_int,        &authentication_failed },
diff --git a/src/src/globals.c b/src/src/globals.c
index 74b6edb..05bb0ae 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -371,6 +371,7 @@ BOOL    allow_mx_to_ip         = FALSE;
 BOOL    allow_unqualified_recipient = TRUE;    /* For local messages */
 BOOL    allow_unqualified_sender = TRUE;       /* Reset for SMTP */
 BOOL    allow_utf8_domains     = FALSE;
+uschar *authenticated_fail_id  = NULL;
 uschar *authenticated_id       = NULL;
 uschar *authenticated_sender   = NULL;
 BOOL    authentication_failed  = FALSE;
diff --git a/src/src/globals.h b/src/src/globals.h
index db436c0..2cc1688 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -192,6 +192,7 @@ extern BOOL    allow_mx_to_ip;         /* Allow MX records to -> ip address */
 extern BOOL    allow_unqualified_recipient; /* As it says */
 extern BOOL    allow_unqualified_sender; /* Ditto */
 extern BOOL    allow_utf8_domains;     /* For experimenting */
+extern uschar *authenticated_fail_id;  /* ID that failed authentication */
 extern uschar *authenticated_id;       /* ID that was authenticated */
 extern uschar *authenticated_sender;   /* From AUTH on MAIL */
 extern BOOL    authentication_failed;  /* TRUE if AUTH was tried and failed */
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index cb1a869..4740aa5 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -2821,6 +2821,7 @@ while (done <= 0)
         if (set_id != NULL) authenticated_id = string_copy_malloc(set_id);
         sender_host_authenticated = au->name;
         authentication_failed = FALSE;
+        authenticated_fail_id = NULL;   /* Impossible to already be set? */
         received_protocol =
           protocols[pextend + pauthed + ((tls_in.active >= 0)? pcrpted:0)] +
             ((sender_host_address != NULL)? pnlocal : 0);
@@ -2836,6 +2837,7 @@ while (done <= 0)
       /* Fall through */
 
       case DEFER:
+      if (set_id != NULL) authenticated_fail_id = string_copy_malloc(set_id);
       s = string_sprintf("435 Unable to authenticate at present%s",
         auth_defer_user_msg);
       ss = string_sprintf("435 Unable to authenticate at present%s: %s",
@@ -2855,11 +2857,13 @@ while (done <= 0)
       break;
 
       case FAIL:
+      if (set_id != NULL) authenticated_fail_id = string_copy_malloc(set_id);
       s = US"535 Incorrect authentication data";
       ss = string_sprintf("535 Incorrect authentication data%s", set_id);
       break;
 
       default:
+      if (set_id != NULL) authenticated_fail_id = string_copy_malloc(set_id);
       s = US"435 Internal error";
       ss = string_sprintf("435 Internal error%s: return %d from authentication "
         "check", set_id, c);