diff --git a/controllers/kustomization_decryptor.go b/controllers/kustomization_decryptor.go
index 9b3663b..c19d948 100644
--- a/controllers/kustomization_decryptor.go
+++ b/controllers/kustomization_decryptor.go
@@ -67,12 +67,16 @@ const (
 	// DecryptionAzureAuthFile is the name of the file containing the Azure
 	// credentials.
 	DecryptionAzureAuthFile = "sops.azure-kv"
-)
 
-var (
 	// maxEncryptedFileSize is the max allowed file size in bytes of an encrypted
 	// file.
 	maxEncryptedFileSize int64 = 5 << 20
+	// unsupportedFormat is used to signal no sopsFormatToMarkerBytes format was
+	// detected by detectFormatFromMarkerBytes.
+	unsupportedFormat = formats.Format(-1)
+)
+
+var (
 	// sopsFormatToString is the counterpart to
 	// https://github.com/mozilla/sops/blob/v3.7.2/cmd/sops/formats/formats.go#L16
 	sopsFormatToString = map[formats.Format]string{
@@ -334,9 +338,9 @@ func (d *KustomizeDecryptor) DecryptResource(res *resource.Resource) (*resource.
 					continue
 				}
 
-				if bytes.Contains(data, sopsFormatToMarkerBytes[formats.Yaml]) || bytes.Contains(data, sopsFormatToMarkerBytes[formats.Json]) {
+				if inF := detectFormatFromMarkerBytes(data); inF != unsupportedFormat {
 					outF := formatForPath(key)
-					out, err := d.SopsDecryptWithFormat(data, formats.Yaml, outF)
+					out, err := d.SopsDecryptWithFormat(data, inF, outF)
 					if err != nil {
 						return nil, fmt.Errorf("failed to decrypt and format '%s/%s' Secret field '%s': %w",
 							res.GetNamespace(), res.GetName(), key, err)
@@ -412,7 +416,7 @@ func (d *KustomizeDecryptor) decryptKustomizationEnvSources(visited map[string]s
 			}
 			for _, envFile := range gen.EnvSources {
 				format := formatForPath(envFile)
-				if formatForPath(envFile) == formats.Binary {
+				if format == formats.Binary {
 					// Default to dotenv
 					format = formats.Dotenv
 				}
@@ -740,3 +744,12 @@ func formatForPath(path string) formats.Format {
 		return formats.FormatForPath(path)
 	}
 }
+
+func detectFormatFromMarkerBytes(b []byte) formats.Format {
+	for k, v := range sopsFormatToMarkerBytes {
+		if bytes.Contains(b, v) {
+			return k
+		}
+	}
+	return unsupportedFormat
+}
diff --git a/controllers/kustomization_decryptor_test.go b/controllers/kustomization_decryptor_test.go
index deb29cc..1a529c5 100644
--- a/controllers/kustomization_decryptor_test.go
+++ b/controllers/kustomization_decryptor_test.go
@@ -846,7 +846,7 @@ func TestKustomizeDecryptor_DecryptResource(t *testing.T) {
 				"name":      "secret",
 				"namespace": "test",
 			},
-			"type": corev1.SecretTypeDockercfg,
+			"type": corev1.SecretTypeDockerConfigJson,
 			"data": map[string]interface{}{
 				corev1.DockerConfigJsonKey: base64.StdEncoding.EncodeToString(encData),
 			},
@@ -1725,3 +1725,29 @@ func Test_formatForPath(t *testing.T) {
 		})
 	}
 }
+
+func Test_detectFormatFromMarkerBytes(t *testing.T) {
+	tests := []struct {
+		name string
+		b    []byte
+		want formats.Format
+	}{
+		{
+			name: "detects format",
+			b:    bytes.Join([][]byte{[]byte("random other bytes"), sopsFormatToMarkerBytes[formats.Yaml], []byte("more random bytes")}, []byte(" ")),
+			want: formats.Yaml,
+		},
+		{
+			name: "returns unsupported format",
+			b:    []byte("no marker bytes present"),
+			want: unsupportedFormat,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := detectFormatFromMarkerBytes(tt.b); got != tt.want {
+				t.Errorf("detectFormatFromMarkerBytes() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}