diff --git a/CHANGELOG.md b/CHANGELOG.md
index bd0e5c2..2610d24 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,7 +2,7 @@
 
 ## 1.1.1 under development
 
-- no changes in this release.
+- New #421: Improve `prod-deploy` error handling so exact error is printed in case of rollback (@samdark)
 
 ## 1.1.0 December 20, 2025
 
diff --git a/Makefile b/Makefile
index 49d1505..60b2470 100644
--- a/Makefile
+++ b/Makefile
@@ -122,7 +122,19 @@ endif
 
 ifeq ($(PRIMARY_GOAL),prod-deploy)
 prod-deploy: ## PROD | Deploy to production
-	docker -H ${PROD_SSH} stack deploy --prune --detach=false --with-registry-auth -c docker/compose.yml -c docker/prod/compose.yml ${STACK_NAME}
+	set -euo pipefail \
+	docker -H ${PROD_SSH} stack deploy --prune --detach=false --with-registry-auth -c docker/compose.yml -c docker/prod/compose.yml ${STACK_NAME} 2>&1 | tee deploy.log \
+	if grep -qiE 'rollback:|update rolled back' deploy.log then \
+		FAILED_TASK_ID="$(grep -oiE 'task[[:space:]]+[a-z0-9]+' deploy.log | head -n 1 | awk '{print $2}')" \
+		if [ -n "${FAILED_TASK_ID}" ]; then \
+			echo "Docker Swarm update rolled back; failing job. Failed task ID: ${FAILED_TASK_ID}" \
+			echo "--- docker service logs (${FAILED_TASK_ID}) ---" \
+			docker -H ${PROD_SSH} service logs --timestamps --tail 500 "${FAILED_TASK_ID}" || true \
+		else \
+			echo 'Docker Swarm update rolled back; failing job. Failed task ID: not found in deploy output.' \
+		fi \
+		exit 1 \
+	fi
 endif
 
 #