diff --git a/octodns/manager.py b/octodns/manager.py
index dd36e9a..7c84deb 100644
--- a/octodns/manager.py
+++ b/octodns/manager.py
@@ -428,7 +428,8 @@ class Manager(object):
                         # they're sensitive so just provide the key, and even
                         # that only at debug level.
                         self.log.debug(
-                            '_build_kwargs: no handler found for the value of {k}'
+                            '_build_kwargs: failed to find handler for key "%sp ',
+                            k,
                         )
                     else:
                         v = handler.fetch(name, source)
diff --git a/tests/config/secrets.yaml b/tests/config/secrets.yaml
new file mode 100644
index 0000000..d46e74f
--- /dev/null
+++ b/tests/config/secrets.yaml
@@ -0,0 +1,19 @@
+---
+secret_handlers:
+  dummy:
+    class: helpers.DummySecrets
+    prefix: in_config/
+  requires-env:
+    class: helpers.DummySecrets
+    # things can pull from env, it prexists
+    prefix: env/FROM_ENV_WILL_WORK
+  requires-dummy:
+    class: helpers.DummySecrets
+    # things can't pull from other handlers, the order they're configured in is
+    # indeterminent so it's not safe, they're also all added at once
+    prefix: dummy/FROM_DUMMY_WONT_WORK
+
+# Not needed, but required key
+providers: {}
+# Not needed, but required key
+zones: {}
diff --git a/tests/helpers.py b/tests/helpers.py
index 5ec8761..b19d236 100644
--- a/tests/helpers.py
+++ b/tests/helpers.py
@@ -140,6 +140,7 @@ class CountingProcessor(BaseProcessor):
 class DummySecrets(BaseSecrets):
     def __init__(self, name, prefix):
         super().__init__(name)
+        self.log.info('__init__: name=%s, prefix=%s', name, prefix)
         self.prefix = prefix
 
     def fetch(self, name, source):
diff --git a/tests/test_octodns_manager.py b/tests/test_octodns_manager.py
index 20be8a6..04eb68c 100644
--- a/tests/test_octodns_manager.py
+++ b/tests/test_octodns_manager.py
@@ -8,6 +8,7 @@ from unittest import TestCase
 from unittest.mock import MagicMock, patch
 
 from helpers import (
+    DummySecrets,
     DynamicProvider,
     GeoProvider,
     NoSshFpProvider,
@@ -1249,6 +1250,37 @@ class TestManager(TestCase):
         self.assertTrue(sh)
         self.assertEqual('pre-thing', sh.fetch('thing', None))
 
+        # test configuring secret handlers
+        environ['FROM_ENV_WILL_WORK'] = 'fetched_from_env/'
+        manager = Manager(get_config_filename('secrets.yaml'))
+
+        # dummy was configured
+        self.assertTrue('dummy' in manager.secret_handlers)
+        dummy = manager.secret_handlers['dummy']
+        self.assertIsInstance(dummy, DummySecrets)
+        # and has the prefix value explicitly stated in the yaml
+        self.assertEqual('in_config/hello', dummy.fetch('hello', None))
+
+        # requires-env was configured
+        self.assertTrue('requires-env' in manager.secret_handlers)
+        requires_env = manager.secret_handlers['requires-env']
+        self.assertIsInstance(requires_env, DummySecrets)
+        # and successfully pulled a value from env as its prefix
+        self.assertEqual(
+            'fetched_from_env/hello', requires_env.fetch('hello', None)
+        )
+
+        # requires-dummy was created
+        self.assertTrue('requires-dummy' in manager.secret_handlers)
+        requires_dummy = manager.secret_handlers['requires-dummy']
+        self.assertIsInstance(requires_dummy, DummySecrets)
+        # but failed to fetch a secret from dummy so we just get the configured
+        # value as it was in the yaml for prefix
+        self.assertEqual(
+            'dummy/FROM_DUMMY_WONT_WORK:hello',
+            requires_dummy.fetch(':hello', None),
+        )
+
 
 class TestMainThreadExecutor(TestCase):
     def test_success(self):